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Introduction 


he AZ-104 exam focuses on common tasks and concepts that an administrator needs to 
Toa to deploy and manage infrastructure in Microsoft Azure. Manage Azure identi- 
ties and Azure subscriptions is a key topic on the exam, which includes managing Azure AD 
objects (users, groups, and devices), use of Azure AD join and self-service password resets; it 
also covers role based access control, tagging, subscription level policies and resource organi- 
zation using resource groups, subscription and management groups. Another topic covered 
is implement and manage storage, which includes creating and configuring storage accounts 
as well as configuring Azure files and understanding the services for importing and export- 
ing data to Azure. A significant portion of the exam is focused on deploying and managing 
Azure compute resources, which includes configuring high availability of Azure VMs, creating 
and configuring virtual machine and their automated deployments as well as creating and 
configuring container solutions such as Azure Kubernetes Service (AKS) and Azure Container 
Instances (ACI); it also covers configuring web apps using app service and app service plans. 
This book also covers the creation and management of virtual networks, DNS, connectivity 
between virtual networks, configuring network security groups, Azure firewall and Azure bas- 
tion service; it also explains the load balancing solutions including configuration of application 
gateway. The final topic is monitor and backup Azure resources, which includes topics on how 
to monitor resources using Azure Monitor as well as how to implement back and recovery of 
Azure VMs including site to site recovery using Azure site recovery. 


This book is geared toward Azure administrators who manage cloud services that span stor- 
age, security, networking and compute. It explains how to configure and deploy services across 
a broad range of related Azure services to help you prepare for the exam. 


This book covers every major topic area found on the exam, but it does not cover every 
exam question. Only the Microsoft exam team has access to the exam questions, and Microsoft 
regularly adds new questions to the exam, making it impossible to cover specific questions. 
You should consider this book a supplement to your relevant real-world experience and other 
study materials. If you encounter a topic in this book that you do not feel completely comfort- 
able with, use the reference links provided throughout this book and take the time to research 
and study the topic. Great information is available on Microsoft Docs. 


Organization of this book 


This book is organized by the “Skills measured” list published for the exam. The “Skills measured” 
list is available for each exam on the Microsoft Learning website: https://aka.ms/examlist. Each 
chapter in this book corresponds to a major topic area in the list, and the technical tasks in 
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each topic area determine a chapter's organization. If an exam covers six major topic areas, for 
example, the book will contain six chapters. 


Preparing for the exam 


Microsoft certification exams are a great way to build your resume and let the world know 
about your level of expertise. Certification exams validate your on-the-job experience and 
product knowledge. Although there is no substitute for on-the-job experience, preparation 
through study and hands-on practice can help you prepare for the exam. This book is not 
designed to teach you new skills. 


We recommend that you augment your exam preparation plan by using a combination of 
available study materials and courses. For example, you might use the Exam Ref and another 
study guide for your “at home” preparation and take a Microsoft Official Curriculum course for 
the classroom experience. Choose the combination that you think works best for you. Learn 
more about available classroom training and find free online courses and live events at 
http://microsoft.com/learn. Microsoft Official Practice Tests are available for many exams at 
http://aka.ms/practicetests. 


Note that this Exam Ref is based on publicly available information about the exam and the 
author's experience. To safeguard the integrity of the exam, authors do not have access to the 
live exam. 


Microsoft certifications 


Microsoft certifications distinguish you by proving your command of a broad set of skills and 
experience with current Microsoft products and technologies. The exams and corresponding 
certifications are developed to validate your mastery of critical competencies as you design 
and develop, or implement and support, solutions with Microsoft products and technologies 
both on-premises and in the cloud. Certification brings a variety of benefits to the individual 
and to employers and organizations. 


MOREINFO ALL MICROSOFT CERTIFICATIONS 


For information about Microsoft certifications, including a full list of available certifications, 
go to http://www.microsoft.com/learn. 
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Quick access to online references 


Throughout this book are addresses to webpages that the author has recommended you visit 
for more information. Some of these links can be very long and painstaking to type, so we've 
shortened them for you to make them easier to visit. We've also compiled them into a single 
list that readers of the print edition can refer to while they read. 

Download the list at MicrosoftPressStore.com/ExamRefAZ104/downloads 


The URLs are organized by chapter and heading. Every time you come across a URL in the 
book, find the hyperlink in the list to go directly to the webpage. 


Errata, updates, & book support 


We've made every effort to ensure the accuracy of this book and its companion content. You 
can access updates to this book—in the form of a list of submitted errata and their related 
corrections—at: 


MicrosoftPressStore.com/ExamRefAZ104/errata 
If you discover an error that is not already listed, please submit it to us at the same page. 
For additional book support and information, please visit MicrosoftPressStore.com/Support. 


Please note that product support for Microsoft software and hardware is not offered 
through the previous addresses. For help with Microsoft software or hardware, go to 
http://support.microsoft.com. 


Stay in touch 


Let's keep the conversation going! We're on Twitter: http://twitter.com/MicrosoftPress. 


xvii 
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Manage Azure identities and 
governance 


Microsoft has long been a leader in the identity space. This leadership goes back to the intro- 
duction of Active Directory (AD) with Windows 2000 before the cloud even existed. Microsoft 
moved into cloud identity with the introduction of Azure Active Directory (Azure AD), which 
is now used by more than 5 million companies around the world. The adoption of Office 365 
led to this extended use of Azure AD. These two technologies, however, have very different 
purposes, with AD primarily used on-premises and Azure AD primarily used for the cloud. 


Microsoft has poured resources into making AD and Azure AD work together. The con- 
cept is to extend the identity that lives on-premises to the cloud by synchronizing the identi- 
ties. This ability is provided by Azure AD Connect. Microsoft has also invested in extending 
those identities to enable scenarios such as single sign-on by using Active Directory Federa- 
tion Services (ADFS), which is deployed in many large enterprises. (Note that Azure AD Con- 
nect is not covered on the AZ-104 exam.) 

Microsoft has continued pushing forward by developing options for developers to lever- 
age Azure AD for their applications. Microsoft provides the ability for developers to extend a 
company’s Azure AD to users outside of the organization. The first option is known as Azure 
AD B2C (Business-to-Customer). This allows customers to sign in to applications using their 
social media accounts, such as a Facebook ID. A complementary technology—Azure AD B2B 
(Business to Business)—extends Azure AD to business partners. 

This area of the AZ-104 exam is focused on the management of identities using Azure 
Active Directory. 

In the latter part of this chapter, you will also learn how to manage role-based access con- 
trol (formally known as RBAC) for Azure resources, including the following topics: 

m Understand how RBAC works 

m Create a custom role assignment 

m Provide access to Azure resources using different roles 
m Interpret access assignment 

m Manage multiple directories 

Finally, you will learn how to manage Azure subscriptions and other resources. This 
includes how to 

= Configure Azure policies 


= Configure resource locks 
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m Apply and manage tags on resources 
m Manage resource groups 

m Manage subscriptions 

= Configure management groups 

m Manage costs 


By understanding the controls that are available in Azure for subscription and resource 
management, you enable your organization for success across your Azure estate. 


Skills covered in this chapter: 
m Skill 1.1: Manage Azure Active Directory (Azure AD) objects 
m Skill 1.2: Manage role-based access control (RBAC) 


m Skill 1.3: Manage subscriptions and governance 


Skill 1.1: Manage Azure Active Directory (Azure AD) 
objects 


In an Azure AD tenant, there are users, groups, and devices that are controlled through the 
features of Azure AD discussed in this section. In this section, we focus on managing users and 
groups throughout their lifecycles, how to manage device settings, how to perform bulk updates 
to users using automation tooling such as PowerShell, and how to manage guest accounts. 


In the latter part of this section, we will also discuss how to manage devices with Azure 
AD Join and how to configure user experience controls, such as self-service password reset 
(SSPR). 


This skill covers: 

m Create users and groups 

m Manage user and group properties 
m Manage device settings 

m Perform bulk user updates 

m Manage guest accounts 

= Configure Azure AD Join 


= Configure self-service password reset 


Manage Azure identities and governance 
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Create users and groups 


There are primarily two types of users in Azure AD — cloud-only users and users synchronized 
from an on-premises directory. Cloud-only users are created and managed exclusively in Azure 
AD, and their attributes can be updated directly in Azure AD. 


You can create cloud-only users through the Azure portal, Azure PowerShell, and the Azure 
command-line interface (CLI). When creating new users, you must be assigned to the Global 
Administrator or User Administrator role. See Skill 1.2 for more details about various roles and 
their assignments. 


To create users from the Azure portal, search for Azure Active Directory in the search 
pane, or you can browse to all Azure services and select Azure Active Directory as a user with 
rights to create users, click Users to access the Users blade, and click +New User. An example 
of this blade is shown in Figure 1-1. Note that you can also invite users (guest users) to your 
directory through the Azure portal. 

When creating a new user, only the username (sign in address for Azure AD) and the user's 


name (given name and surname) are mandatory. You can configure additional settings, such as 
assigning specific groups and roles, blocking sign-ins from a specific location, and so on. 


MORE INFO 


For more information, see: https://docs.microsoft.com/azure/governance/blueprints/ 
tutorials/protect-new-resources. 


Groups are groups of objects that make role assignments and access permissions easier to 
manage. A group can contain groups, users, devices, or service principles. When using groups, 
you eliminate the need to individually assign roles or permissions. Creating groups is a similar 
experience and can be performed from the Azure portal, Azure PowerShell, the Azure CLI, and 
Microsoft Graph. To create a group in the Azure portal, search for Azure Active Directory or 
browse to all Azure services, select Azure Active Directory, click Groups to access the New 
Group blade, and click +New Group. The New Group blade is shown in Figure 1-2. 


When creating a new group, there are several factors that dictate the type of group 
that is created and how that group behaves in Azure AD and associated workloads, such as 
Office 365. 


MORE INFO 


In 2020, Office 365 was renamed as Microsoft 365. The Azure portal UI still shows the old 
terminology, so it has been referred to as “Office 365” throughout this chapter. You can 
find details on how Microsoft 365 is integrated with Azure at https://docs.microsoft.com/ 


microsoft-365/enterprise/azure-integration. 
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Home Users | All users (Preview! New user 


New user 


© Got feedback? 


® Create user O Invite user 
Create a new user in your organization. invite a new guest user to collaborate with 
This user will have a user name like your organization. The user will be emailed 
alice@msp131499.0nmicrosoft com. an invitation they can accept in order to 
want to create users in bulk begin collaborating. 
| want to invite guest users in bulk 


Help me decide 


Identity 


User name * © Example: chris la| wj D] 


The domain name | need isn't shown here 


Name* © Example: ‘Chris Green’ 


First name 


Last name 


Groups and roles 
Groups 0 groups selected 


Roles User 


Settings 


Block sign in ( Yes a» 


Usage location 9 


Job info 


Job title 


Department 


FIGURE 1-1 New user blade in the Azure portal 


First, you must select the type of group you are creating. You have two options: Security 
and Office 365. Security groups allow you to share Azure resources access to a group of users , 
devices, or service principals. An Office 365 group allows access to a shared mailbox, calendar, 
SharePoint site, and so on. Note that even if you are creating groups in an Azure AD tenant that 
is not associated with an Office 365 subscription, you will still see the option to create an Office 
365 group. 


4 CHAPTER1 Manage Azure identities and governance 
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New Group 


Group type * 


Security Vv 


Group name * © 


Enter the name of the group 


Group description © 


Enter a description for the group 


Membership type * © 


Assigned Vv 


Owners 


No owners selected 


Members 


No members selected 


FIGURE 1-2 New Group blade in the Azure portal 


Also, Group Name is a required field. While filling in a Group Description is not required, 
it is recommended that you always include a Group Description to make it easier to find and 
identify the purpose of a group later. 


The Membership Type drop-down menu allows you to select from one of three values: 


= Assigned. This value allows you to select one or more users and add them to the 
group. Adding and removing users is performed manually. 


m Dynamic User. This value allows you to use dynamic group rules to automatically add 
and remove members. 


m Dynamic Device. This value allows you use dynamic group rules to automatically add 
and remove devices. 


IMPORTANT DYNAMIC GROUP REQUIREMENT 


You can only create a dynamic group if you have a Premium AD license. Otherwise, the Mem- 
bership Type option is unavailable and is set to Assigned. 


For both dynamic user and dynamic device-based groups, the rules associated with the 
group are evaluated on an ongoing basis. If a user or device has an attribute that matches the 
rule, that user or device is added to the group. If an attribute changes and the user or device 
no longer matches the criteria for group membership, the entity will be removed. Membership 
processing is not immediate. If an error occurs while processing a membership rule, an error is 
surfaced on the Group page in the Azure portal. You can always view the current processing 
status from the Group page. 


Skill 1.1: Manage Azure Active Directory (Azure AD) objects 
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It is important to note that you can create a dynamic group for users or devices, but you 
cannot create both at the same time. You also cannot use user attributes in a device-based rule. 
It is possible to change the membership type of a group after it has been created, which pro- 
vides an opportunity to transition from a static (or assigned) membership model to a dynamic 
membership model or vice-versa. 


When creating dynamic groups, rules can be edited in the simple rule format, where you 
will build the query and conditions in the rule builder, where you can build complex rules with 
conditional logic. In the example shown in Figure 1-3, a dynamic user group is being created, 
which will automatically update its membership based on the department attribute and its 
value in Azure AD. 


Dynamic membership rules 


Anion Property Operor vaise 


FIGURE 1-3 Dynamic membership rules 


Dynamic groups require an Azure AD Premium P1 (or equivalent EM + S) license. 


Manage user and group properties 


As users and groups are used, they might need updates to their attributes (or properties). For 
example, you might need to change a users’ job title, or you might need to add or remove 
members from an existing group. 


Users and groups can be updated using management tools such as Azure portal, Azure 
PowerShell, Azure CLI, and Microsoft Graph. Figure 1-4 shows an example of the user profile in 
the Azure portal that can be accessed by browsing to your Azure AD tenant, selecting Users, 
choosing a user, and clicking Edit. 


Groups can be managed through the Azure portal by browsing to your Azure AD tenant, 
selecting Groups, choosing a specific group, and then clicking Properties, Members, or 
Owners, depending on the type of update you want to make. When editing a group, you will 
not be able to change the Group Type (such as changing a Security group to an Office 365 
group), but you will be able to update the Group Name, Group Description, and the Member- 
ship Type, as shown in Figure 1-5. Changing a static group to dynamic group will remove all the 
members from the static group and apply dynamic membership rules. This change will also 
affect the access to the resources if the static group has any previously assigned access for its 
members. 


Manage Azure identities and governance 
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Chris Green 
rinanip a amirah son 


FIGURE 1-4 A user profile in the Azure portal 


‘|! Business Development | Properties 
pri 


Save 


© Overview (Preview) 
General settings 


4% Diagnose and sotve problems Group name * C 


Manage | Business Development v 
1]! Properties Group description © 
| Welcome to Biz Dev Team v 
Members (Preview) 
Owners (Preview) pon i Lo 
| Office ® 


Membership type * © 
Group memberships (Preview) 


os 
as 
& Administrative units (Preview) 
& 
ii 


| Assigned v 
Applications 
Š Object Id 
= imus =m e > ee ee D 


? Azure role assignments 


FIGURE 1-5 Edit group properties blade in the Azure portal 


Manage device settings 
Registered and joined devices in Azure AD can be managed in two areas in the Azure portal. 


m The first is by browsing to your Azure AD tenant in the Azure portal and selecting 
Devices. All Devices is the default view, but you can also choose other views, such as 
Device Settings, BitLocker Keys, and so on). 


m The second is through the Devices blade for an individual user. 


Skill 1.1: Manage Azure Active Directory (Azure AD) objects CHAPTER 1 7 
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With either option, you will be able to search for devices using the device name as a filter, 
view a detailed overview of any registered and joined devices, and perform common device- 
management tasks. 


To enable and disable devices, you must be a Global Administrator. Disabling a device 
prevents it from accessing Azure AD resources. Note that this does not prevent the user from 
accessing resources in general; it only prevents the user from accessing resources from that 
disabled device. Figure 1-6 shows the Disable button. 


Ü Delete 


ti} Learn more about how to manage stale devices in Azure Active Directory > 


@ Didn't find your device? View All device 


Devices v 


2 items (2 Devices) 
NAME ENABLED os VERSION JOIN TYPE mom COMPLIANT 
v © Yes Windows Windows 10 Azure AD registered None N/A 
DESKTOP-SFEVSOO © Yes Windows Windows 10 Azure AD registered None N/A 


FIGURE 1-6 Disable button from the All Devices blade in the Azure portal 


Deleting devices is similar to enabling or disabling a device. Again, the user perform- 
ing the update must be a Global Administrator. Deleting a device prevents a device from 
accessing your Azure AD resources and removes all details that are attached to the device 
(including BitLocker keys for Windows devices). Deleting a device represents a non- 
recoverable activity and is not recommended unless it is required for an activity such as 
device decommissioning. 


Perform bulk user updates 


Previously, the Azure portal was only helpful for single updates to users, which meant we had 
to rely on custom automation solutions (mostly using PowerShell) for updating users in bulk. 
Because of recent updates, you can now perform bulk operations (such as creating, inviting, 
and deleting users in batches) using the Azure portal. 


You can access this functionality by navigating to your Azure AD tenant in the Azure portal 
and then clicking Users. You will see these functionalities at the top of the blade, as shown in 
Figure 1-7. 


+ Newuser + New guest user T Bulkcreate  Bulkinvite T Bulkdelete Download users C) Refresh 


FIGURE 1-7 Bulk updates from the Users blade in the Azure portal 


After clicking the Bulk Create button, you will see the Bulk Create User blade, which is 
shown in Figure 1-8. 
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Bulk create user x 


Contoso MSP131499 - Azure Active Direct 


1, Download csv template (optional) 
| Download 
2. Edit your csv file 


3. Upload your csv file 


| Select a file & 


Learn more about bulk import users 


FIGURE 1-8 Bulk create user blade in the Azure portal 


Bulk operations are three-step process: 


1. Download a CSV (comma-separated values or comma-delimited) template 
(UserCreateTemplate.csv) by clicking the Download button on the Bulk Create User 
blade. This is a standard template with mandatory attributes, such as Name, User 
Name, Initial Password, and Block Sign In. You can also specify optional attributes 
such as First Name, Last Name, Job Title, and so on. 


2. Edit the CSV file with bulk update values. You just need to update appropriate values 


and save the changes. The sample mandatory values are already included in the tem- 
plate for reference. 


3. Upload the updated CSV file and submit the operation. 


After submitting the operation, you can check the status of the bulk operation by navigat- 
ing to Bulk Operation Results option under the Activity section of the Users blade (see 
Figure 1-9). 


Jy Users | Bulk operation results 


È Al uses (Presen 
Fee name ‘yp 


Deleted uien 


Seams © Success * alwe ‘oral requests 


CETIS 


A tub speratos wesh 


Troubleshosang + Support 


È rew support eamest 


FIGURE 1-9 Bulk operation results blade in the Azure portal 


Manage guest accounts 

To create guest users from the Azure portal, browse to your Azure AD tenant as a user 
with rights to create users and select the Users blade and choose +New Guest User. An 
example of this blade is shown in Figure 1-10. A guest user can be anyone who is invited to 
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collaborate with your organization. Once created, the guest user should receive an invita- 
tion in their mailbox. 


Guest users can be created and managed similarly to how normal user accounts are created 
and managed. Guest users can be invited to the directory, group, or application. As soon as 
we invite the guest user, that account is created in Azure AD with the User Type set to Guest. 
The guest user will receive an email invitation immediately after creation. The guest user must 
accept the invitation along with the first-time consent process in order to access the assigned 
resources. 


By default, all users and admins can invite guests. You can restrict the way guest users can 
be invited by accessing the Manage External Collaboration Settings on the Users blade 
under User Settings. The External Collaboration Settings are shown in Figure 1-11. You can 
also access these settings from Azure AD tenant by clicking the User Settings on the left 
menu and then choosing Manage External Collaboration Settings in the External Users 
section. 


New user 


? Got feedback? 


Create user Invite user 

Create a new user in your organization Invite a new guest user to collaborate with 
This user will have a user name like your organization. The user will be emailed 
3 onmicrosoftcom. an inviti 
ilk begin collaborating. 


alice@msp 


Identity 
Name 

Email address * 
First name 


Last name 


Personal message 


Groups and roles 
Groups 


Roles 


Settings 


Block sign in « Gy 


Usage location v 


Job info 
Job title 


Department 


FIGURE 1-10 New User blade in the Azure portal 
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External collaboration settings 


Guest users permissions are limited © 


Admins and users in the guest inviter role can invite © 
em « 

Members can invite © 

Guests can invite © 


Enable Email One-Time Passcode for guests (Preview) O 


Learn more 


Collaboration restrictions 
(O) Allow invitations to be sent to any domain (most inclusive) 


O Deny invitations to the specified domains 


O Allow invitations only to the specified domains (most restrictive) 


FIGURE 1-11 External Collaboration Settings blade in the Azure portal 


When a guest user is added, the guest user has a Consent Status (viewable in PowerShell) as 
PendingAcceptance. This value will be changed to Accepted immediately after the guest user 
accepts the invitation. The guest user will appear as an “invited user” in the Azure portal until 
the user accepts the invitation. 


Configure Azure AD Join 


Azure Active Directory includes the ability to manage device identity, which enables single 
sign-in to devices and the applications and services managed through Azure Active Directory 
that are accessed from that device. Managed devices include both enterprise and bring-your- 
own-device (BYOD) scenarios. This allows users to work from any device, including personal 
devices, all while protecting corporate intellectual property with the necessary regulatory and 
compliance controls. 


Azure AD Join allows you to control these devices, the applications installed and accessed 
from them, and how those applications interact with your corporate data. 


When associating devices with Azure AD, you have three options: registering a device, 
joining a device, and using hybrid AD joined. Registration of devices would be appropriate 
for personal devices, while joining devices is useful for corporate-owned devices. Hybrid AD 
joined devices are joined to your on-premises Active Directory and are registered with your 
Azure AD tenant. 
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Associating a device with Azure AD allows you to manage a device's identity by implement- 
ing features like single sign on (SSO) and securing access using conditional access. Note that 
this identity can be managed independently of a user's identity. This provides a great degree of 
flexibility because devices can be enabled or disabled without affecting a user account. Azure 
AD Join is an extension of device registration that changes the local state of the device. When 
a device is Azure AD—Joined, users can sign in to the device using an organizational account 
instead of a personal account. 


Also, registration of devices in Azure AD can be combined with a mobile device manage- 
ment solution, such as Microsoft Intune, Microsoft Endpoint Configuration Manager, Mobile 
Application Management (MAM), and Group Policy if it is hybrid Azure AD Joined. This allows 
for additional device attributes—such as device OS version and device state (including whether 
the device is rooted or jailbroken—to be tracked in Azure AD. Those attributes can then be 
used to build and enforce conditional access policies, which can further secure corporate data. 


Device registration is configured in Azure AD under Devices > Device Settings. From this 
screen, you can set the configuration for an entire Azure AD tenant, as seen in Figure 1-12. 


$03 Devices | Device settings 


Got feedback? 


Gi All devices 
Users may join devices to Azure AD 


i Dore asig GED eoa vo 


Enterprise State Roaming 
X Diagnose and solve problems 
Activity 


E Audit logs 
Additional local administrators on Azure AD joined devices 


Troubleshooting + Support selected QED 


A New support request 


Require Multi-Factor Auth to join devices 


Maximum number of devices per user 


20 v 


Enterprise State Roaming 


Manage Ent 


FIGURE 1-12 Configure device registration settings 


From this screen, you can configure the following settings: 


m Users May Join Devices To Azure AD. This setting allows you to select the users and 
groups that can join devices to Azure AD. This setting only applies to Azure AD Join on 
Windows 10 devices. The default value is All and can be changed to Selected or None. 


= Additional Local Administrators On Azure AD Joined Devices. With Azure AD 
Premium or with the Enterprise Mobility Suite, you can choose which users are granted 
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Local Administrator rights to the device. Global Administrators and the device owner 
are granted Local Administrator rights by default. The default value is None and can 

be changed to Selected. If the value is set to Selected, any users added here are also 
added to the Device Administrators role in Azure AD. 


m Users May Register Their Devices with Azure AD. Allow users to register their 
devices with Azure AD (Workplace Join). Enrollment with Microsoft Intune or Mobile 
Device Management for Office 365 requires Device Registration. If you have configured 
either of these services, ALL will be selected, and the button associated with the setting 
will be disabled. 


m Require Multi-Factor Auth To Join Devices. Multifactor authentication is recom- 
mended when adding devices to Azure AD. When set to Yes, users who are adding 
devices from the Internet must first use a second method of authentication. Prior to 
enabling this setting, you must ensure that multifactor authentication is configured for 
the users who are able to register devices and that those users have gone through MFA 
set up. 


= Maximum Number Of Devices Per User. This setting designates the maximum 
number of devices that an individual user can have in Azure AD. If the quota is reached, 
the user will not be able to add a device until one of their existing devices is removed. 
Valid values for this setting are 5, 10, 20, 50, 100, and Unlimited. 


NOTE HYBRID AD JOINED DEVICES 


The Multi factor authentication and maximum number of devices per user settings are not 
applicable to hybrid AD joined devices. 


= Manage Enterprise State Roaming Settings. Clicking this link at the bottom of the 
blade takes you to new blade where you will see the Users May Sync Settings And 
App Data Across Devices setting. With Azure AD Premium or EMS, you can select a 
subset of your users by choosing the Selected value and enabling the Enterprise State 
Roaming feature, which can be enabled or for All users or None. This is only applicable 
for Windows 10 devices. 


After the directory has been configured, you can begin registering devices. For Azure AD 
Join, there are several requirements for devices, including Windows versions. The require- 
ments for Windows versions are driven by the type of Azure AD Join: hybrid or non-hybrid. 
Non-hybrid Azure AD Join is applicable to devices that are not joined to an on-premises Active 
Directory, while hybrid Azure AD Join is applicable to devices that are joined to an on-premises 
directory. For hybrid Azure AD Join, an IT administration must perform the join to Azure AD. 

For non-hybrid Azure AD Join, Windows 10 Professional and Windows 10 Enterprise devices 
can be joined to a directory. For hybrid Azure AD Join scenarios, you can join current Windows 
devices, such as Windows 10 and Windows Server 2016. Also, there is support for a hybrid join 
with down-level devices, including Windows 7, Windows 8.1, Windows Server 2008, Windows 
Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. 


Skill 1.1: Manage Azure Active Directory (Azure AD) objects 13 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


14 


Configure self-service password reset 


The password reset is one of the highest cost-incurring activities for many organizations, and 
many organizations have dedicated front-line help desks to handle such requests. Self-service 
password reset (SSPR) allows users to reset their own passwords in Azure AD, including the 
ability to optionally write the password back to an on-premises environment when properly 
licensed and configured by using password writeback and Azure AD Connect. SSPR allows 
users to change their passwords, reset their passwords when they cannot sign in, and unlock 
their accounts, all without the intervention of an IT department. 


Each scenario above addresses both cloud-only and hybrid users. Also, licensing requirements 
vary. Table 1-1 details each scenario, the type of user it applies to, and any required licenses. 


TABLE 1-1 Self-service password reset license requirements 


Scenario User Type License Requirements 
Password Change Cloud-only user. Included in all editions of Azure AD 
Password Reset Cloud-only user Microsoft 365 Business Standard, Microsoft 


365 Business Premium, Azure AD Premium P1, 
Azure AD Premium P2 


Password Change/Unlock/Reset | Hybrid user Microsoft 365 Business Premium, Azure AD 
Premium P1, Azure AD Premium P2 


SSPR can be enabled through the Azure portal by browsing to your Azure AD tenant and 
then selecting Password Reset. When enabling SSPR, you can scope the functionality to a 
group, which will allow you to roll out the feature in waves as users are onboarded into the 
service. As a part of configuration, you will also select the Authentication Methods for SSPR: 
Mobile App Notification, Mobile App Code, Email, Mobile Phone, Office Phone, and/or 
Security Questions (as shown in Figure 1-13). Finally, you will configure registration options 
using the Registration blade, such as whether registration is required to use SSPR and the 
number of days for reconfirmation. 

Additionally, you can also control how notifications are triggered to users and admins using 
the Notifications blade. There is an option available to provide customize helpdesk link to 
notify the administrator directly, which can be configured using the Customization blade. If 
on-premises integration is enabled, you can also control write back passwords to your on- 
premises directory and allow users to unlock accounts without resetting their passwords using 
the On-Premises Integration blade. 


MORE INFO 


You can find details on self-service password reset writeback using following link: https://docs. 
microsoft.com/azure/active-directory/authentication/concept-sspr-writeback. 
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Password reset | Authentication methods 


X Diagnose and solve problems 


Number of methods required to reset 


Manage C E 
I|! Properties 
Methods available to users 

© Authentication methods 

Registration |_| Mobile app notification 
ER Notifications Mobile app code 
a Customization Email 
5 On-premises integration Mobile phone 
Penny Office phone 
E Audit logs 


Security questions 
fii Usage & insights 


Troubleshooting + Support 
@ These settings only apply to end users in your organization. Admins are always enabled for self-service password reset 
and are required to use two authentication methods to reset their password, Click here to learn more about 


New support request 
= PP q administrator password policies. 


FIGURE 1-13 Configure SSPR Authentication Methods 


Skill 1.2: Manage role-based access control (RBAC) 


Access control in Microsoft Azure is an important part of an organization's security and com- 
pliance requirements. Implementing role--based access control (RBAC) allows Azure to define 
access rights at a very granular level, based on each user's assigned tasks or the day-to-day 
activities those users need to perform in their roles. This ensures that each person can perform 
the task he or she needs to accomplish. 


This skill covers: 
m Understand how RBAC works 
m Create a custom role 
m Provide access to Azure resources by assigning roles 
m Subscriptions 
m Resource groups 
m Resources (VM, disk, and so on) 
m Implement RBAC using Azure portal 
= Implement RBAC using Azure PowerShell and the Azure CLI 


m Interpret access assignments 
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Role-based access control 


Role-based access control (RBAC) allows you to manage the entities, also referred to as “secu- 
rity principals,” that have access to Azure resources and the actions that those entities can 
perform. In addition to determining who can do what, Azure RBAC is also applied at a scope 
that dictates the areas they have access to. In Azure, access can be granted to users, groups, 
service principals, and managed identities through role assignments, which are then applied at 
a scope, such as a subscription, a resource group, or even an individual resource. Azure RBAC 
is applicable to the management of resources created in the Azure Resource Manager (ARM) 
deployment model. 


A role is the definition of what actions are allowed and/or denied. RBAC is configured by 
selecting a role and associating the role with a security principal, such as a user, group, or 
service principal. Then, this combination of role and security principal is applied to a scope of a 
subscription, a resource group, or a specific resource through a role assignment. 


In Azure, there is also role inheritance where child resources inherit the role assignments 
of any parents. For example, if a user is granted read access to a subscription, that user will 
have read access to all the resource groups and resources in that subscription. If a managed 
identity (identity which supports Azure AD authentication) is granted contributor rights for a 
single resource group, that security principal can only interact with that resource group and its 
child resources, but it cannot create new resource groups or access resources in other resource 
groups unless an explicit role assignment is made. 


Azure RBAC uses the additive model. As you begin to apply roles to security principals 
in Azure, it is not uncommon to have overlapping assignments where a security principal is 
assigned a different role assignment at both a parent and a child scope. For example, if a user is 
granted Contribute rights at the management group scope and then is granted Reader rights 
in a subscription, the user will still have Contribute rights across the subscription along with 
Contribute rights to any other subscriptions under the management group. Another way to 
think of this is that the most privileged access right takes precedence. 


Before a security principal such as a user or group can interact with Azure resources, 
they must be granted access at a scope through a role assignment. Once a security principal 
has been granted access, it can perform any action that is has rights to perform. It is always 
recommended to provide the minimum privileges to an object or user to perform actions as 
needed. Figure 1-14 shows a suggested access pattern that adheres to the principles of least 
privilege. In this example, a security group in Azure AD, called IT Audit, is granted Read access 
rights at the subscription scope, granting member of the group Read access to all resource 
groups and resources in the subscription. A security group called Application Admins is 
granted Contributor access rights to only selected resource groups. Another security group 
called Application Owners is granted Owner access rights to selected resource groups as well. 
By using multiple security groups and role assignments at the proper scope, access can be 
granted in the future just by updating the security group membership in Azure AD. 
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FIGURE 1-14 Azure RBAC role assignments 


IMPORTANT USING GROUPS WITH AZURE RBAC 


RBAC role definitions get “attached” to a user, group, service principal, or managed identity 
via a role assignment. When assigning roles to a group, all users in the group will inherit the 
assigned role. You can assign roles to group for easier management and greater flexibility 
when applying RBAC at scale. 


The specific permissions that are applied to a resource with RBAC are defined in a role defi- 
nition. A role definition contains the list of permissions—or declared permissions—and those 
permissions define what actions can or cannot be performed against a type of resource, such 
as read, write, or delete. 


Role definitions, or roles, can be either built-in or custom. There are a number of built-in 
role definitions in Azure. Some of the built-in roles such as the Owner role, which includes per- 
missions that manage resources, security, and the application of role assignments. Also, there 
are built-in roles with limited permission sets, such as a Storage Blob Data Reader, which allows 
the assigned security principal to only read and list containers and blobs. 


There are many built-in roles in Azure, which can be found at https: //docs.microsoft.com/ 
azure/role-based-access-control/built-in-roles. Microsoft consistently adds new built-in 
roles as services evolve or as new services are introduced. 


IMPORTANT AZURE ROLES AND AZURE AD ROLES 


RBAC roles are different from the Azure AD administrative. RBAC roles are used to manage 
access and allow or restrict users to Azure resources, while Azure AD administrative roles are 
used to allow or restrict admins to perform identity tasks, such as creating new users, reset- 
ting the users’ passwords, and so on. For example, a user who is granted Global Administrator 
rights in Azure AD does not have permissions to create resources in Azure, but he or she can 
perform all the identity tasks for an Azure AD tenant. 
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The access rights are controlled with a logical boundary known as scope. For example, to 
grant a group Contribute rights to all the resources in a resource group, the Contributor role 
can be assigned to the group at the resource group scope where it is then inherited by all of 
the resources in the resource group. 


There are four scopes at which RBAC can be applied, and scopes are structured in a parent- 
child relationship where RBAC is inherited by any child scopes. The highest scope, or top-most 
parent scope, is a management group. 


O EXAM TIP 


Management groups are not applicable in all scenarios and in some cases a subscription will 
be the highest scope you will work with when applying role assignments. 


Under the management group are subscriptions; under subscriptions are resource groups; 
and under resource groups are resources. Figure 1-15 shows a sample hierarchy with a parent 
management group and two subscriptions, each with a resource group and child resources. 
Note that you can also create another management group under a root management group. 
An Azure AD tenant can support up to 10,000 management groups. 


pe Management Group 
| 
— ? Subscription ? Subscription 
O Resource Group O Resource Group 


so Resource et Resource 


[a] Resource 


FIGURE 1-15 Scope Hierarchy 


IMPORTANT RBAC INHERITANCE 


The concept of RBAC inheritance is critical. Granting a user access to the Owner role at the 
management group scope will grant that user Owner rights to all the subscriptions under the 
management group that is inclusive of all the resource groups and resources within them. 


Manage Azure identities and governance 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


After you have identified the role, security principal, and scope at which the role will be 
assigned, you can make the assignment. Remember, security principals do not have access to 
Azure resources until a role assignment is made, and that access can be revoked by removing a 
role assignment. 


IMPORTANT ROLE ASSIGNMENT LIMITS 


You can have up to 2,000 role assignments in each subscription, and you can have up to 500 
role assignments per management group. 


To create and remove role assignments, you must have Microsoft.Authorization/role 
Assignments/* permission at the necessary scope. This permission is granted through the 
Owner or User Access Administrator built-in roles, or it can be included in custom roles. 


NOTE AZURE ROLE ASSIGNMENTS 


With Azure role assignments, there is no way to revoke access rights at a child scope through 
the application of a more restrictive role assignment because the role assignment is inher- 
ited from the parent. It is, however, possible to apply a deny assignment at a scope when 
using Azure Blueprints and resource locks. Deny assignments are evaluated before role 
assignments and can be used to exclude service principals from accessing child scopes. For 
more information, see https://docs.microsoft.com/azure/governance/blueprints/tutorials/ 
protect-new-resources. 


Create a custom role 


In addition to built-in roles available in Azure, you might face a situation where you need to 
create the custom role to provide set of permissions that are not available in any of the built-in 
roles. Custom roles can be created and assigned through Azure portal, Azure PowerShell, 
Azure CLI, and REST API. In this chapter, we mainly cover how to create the custom role using 
Azure portal. 


IMPORTANT CUSTOM ROLES 


Custom roles can be shared between subscriptions that trust the same Azure AD directory. 
There is a limit of 5,000 custom roles per directory, though Azure Germany and Azure China 
21Vianet can have up to 2,000 custom roles for each directory. 
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There are three ways you can create custom roles in Azure portal: 
= Clone from the existing built-in roles available 
m Start from scratch 
m Start from a JSON file to define the custom permissions 


To clone a built-in role, open the Access Control (IAM) blade by accessing subscription or 
resource group and then clicking + Add > Add Custom Role, as shown in Figure 1-16. 
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FIGURE 1-16 Add custom role option in the Access control (IAM) blade 


On the Create A Custom Role blade, and under Baseline Permissions, select Clone A 
Role. Next, from the Role To Clone drop-down menu, select the desired role, such as Virtual 
Machine Contributor, as shown in Figure 1-17. You can select the role with the nearest identi- 
cal permissions from the built-in roles. 


On next screen, you have Add Permissions and Exclude Permissions options, as shown 
in Figure 1-18. This screen displays all the permissions associated with the built-in role you 
selected in Figure 1-17. 

When you click +Add Permissions, you can search from all the different permissions avail- 
able from the catalog. For example, search for virtual machine, as shown in Figure 1-19. You 
can select Microsoft Compute to access operations available for this resource provider. 


IMPORTANT ARM RESOURCE PROVIDER ORERATIONS 


To explore all the operations available for each Azure Resource Manager resource 
provider, see https://docs.microsoft.com/en-us/azure/role-based-access-control/ 
resource-provider-operations. 
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FIGURE 1-17 Creating a custom role 
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FIGURE 1-18 Add or exclude permissions while creating a custom role 
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Add permissions 


@ Search for permissions to add to your custom role, For example, search for ‘virtual machines" to find permissions related to virtual machines 


virtual machine 


Microsoft Azure Lab Services 


Set up labs for classrooms, triis. 
development and testing, and other 
scenarios 


Microsoft DevTest Labs 


Quickly create environments using 
reusable templates and artifacts. 


Microsoft. SqlVirtualMachine 


Host enterprise SQL Server apps in the 
cloud. 


Microsoft ClassicCompute 


Microsoft ClassicCompute 


Microsoft Marketplace Ordering 
Microsoft MarketplaceOrdering 


microsoft.vmware 
Microsoft. VMware 


Microsoft ClassicStorage 
Microsoft ClassicStorage 


Microsoft Network 


Connect cloud and on-premises 
infrastructure and services to provide 
your customers and users the best 


Virtual Machine Image Builder 
Microsoft. VirtuaiMechinetmages 


Microsoft Compute 

Access cloud compute capacity and scale 
on demand (such as virtual machines) 
and only pay for the resources you use. 


Microsoft Web Apps 


Quicidy create and deploy mission critical 
web apps at seale. 


VMware Solution by CloudSimple 


Run your VMware workloads natively on 
Azure 


Cancel 


FIGURE 1-19 Adding the Microsoft Compute permission 


Once you select Microsoft Compute, you will have options to select specific permissions 
from Actions and Data Actions tabs. The Actions tab contains the operations that a role can 
perform, and the Data Actions tab contains the operations that a role can perform on the 
data within an object. Similarly, if you want to exclude permissions, the Not Actions and Not 
Data Actions tabs contain permissions that a role is not allowed to perform based on selection 
(see Figure 1-20). 


After you select the required permissions, you must select the Assignable Scopes for this 
custom role. The scope can be defined as a Subscription, Resource Group, or Resource 
Level. The custom role must have at least one valid scope assigned (see Figure 1-21). 
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Microsoft.Compute permissions 


< All resource providers 


Virtual machine 
(SED ats Actions 
® Permission 
Microsoft. Compute/availabilitySets/vmSizes 
[C] Read : Lst Virtual Machine Sizes for Availabaity Set © 
Microsoft. Compute/locations/vmSizes 
E Read: tist Available Virtual Machine Sizes in Location © 


Microsoft. Compute/locations/vsmOperations 


= Read : Get Operation for Virtual Machine Scale Set with the Virtual Machine Runtime Service 
Extension © 


Microsoft.Compute/virtualMachineScaleSets 

[C Read : Get virtua! Machine Seale Set © 

[C wrie : Create or Update Virtual Machine Scale Set © 
[O Delete: Delete Virtual Machine Scale Set © 

[C] other: Delete Virtual Machines in a Virtual Machine Seale Set © 
o Other : Start Virtual Machine Scale Set © 

[C other: Power Off Virtual Machine Scale Sat © 

[O] other: Restart Virtual Machine Scale Set © 

C] other: Dealiocate Virtual Machine Seale Set © 

[C] other : Manual Upgrade Virtual Machine Scale Set © 
[C other: Reimage Virtual Machine Scale Set © 


[C] other : Reimage ail Disks for a Virtual Machine Seale Set © 


@ Search for permissions to add to your custom role. For example, search for “virtual machines” to find permissions related to virtual machines 


Description 


List available sizes for creating or updating a virtual machine in the availability set 


Lists available virtual machine sizes ìn a location 


Gets the status of an asynchronous operation for Virtual Machine Scale Set with the Virtual 
Machine Runtime Service Extension 


Get the properties of a Virtual Machine Scale Set 

Creates a new Virtual Machine Scale Set or updates an existing one 
Deletes the Virtual Machine Scale Set 

Deletes the instances of the Virtual Machine Scale Set 

Starts the instances of the Virtual Machine Scale Set 

Powers off the instances of the Virtual Machine Scale Set 


Restarts the instances of the Virtual Machine Scale Set 


Powers off and releases the compute resources for the instances of the Virtus! Machine Scale 
Set 


Manually updates instances to latest model of the Virtual Machine Scale Set 
Reimages the instances of the Virtual Machine Scale Set 


Reimages all disks (OS Disk and Data Disks) for the instances of a Virtual Machine Scale Set 


FIGURE 1-20 Permission list under the Actions tab 


Create a custom role 


D Got feedback? 


Basics Permissions Assignablescopes JSON Review + create 
+ Add assignable scopes 


least one assignable scope. Learn more ct 


Assignable scope 


/subscriptions/00b72028-Sdce-4729-9b2a-a10e92054447 


Click Add assignable scopes to select the scopes (subscriptions or resource groups) where this role will be available for assignment. Your role must have at 


TL Type ty 
Subscription cif 


FIGURE 1-21 Assignable scopes selection while creating custom role 


On the next screen, you will be presented with the JSON code based on the selection made 
on the prior screens. This code can be downloaded as a . json file, or it can be copied to reuse 
later. You can proceed to the Review + Create screen to create the custom role (see Figure 1-22). 
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Create a custom role 


u “ViicrosoFt.Authorszation/*/read”, 
“Wicrosott.Compate/avatlabilitysets/*”, 
“Wlerasntt Computes lecationt/*, 

i Mirrosoft.Compsto/virtualMachines/*", 


Got lect 
Here ys eatery SOME Dre Vaan me 
z= E Em Using JSON 
z 
1 ¢ Add permissions: 
2 propertion™: { Spwcily an operate at an Action NotAction stadt. or 
sroleeae": “Virtual Wachine Meatahchan Prien step: os ha Sorel enh 
a cascripeion”: Pandata heana paican} 
asst grablescopes 
* /subscr Lotions /@Ob72828-S4ce-4725-9b2a-aldes 2054487" Ada whdcards t) 
i (nascent tla perdi Song bbae it deii 
? TNZ that mach he song For enone you specit 
e Mictoaf Campini non Adisa, pata fola ean tl 
t mansgerren! operators in kiesest Cortprste. 
26 “actions*: f 


Siatncripthon-bevet ucapen uw the Sarre 
foubaerptions/tpibnereticelsh) Formare vary mith omer leeis of 
scope ieg resource proupa) 


“VilcrosoFt.Compyte/vintui raScalesers/**, 
PULcrosort Computes disks 


Wierosoft.Crmpete/ at ses 

in Microsoft Compvte/ dista, 
Tilerosaft CevTestiae/schade! 

28 Microsoft. Insights /alerthul 

n Microsoft Network / 

2 Microsoft Networt/lossBalmncers/backemiiddressPools/ Jotn/action", 
Miccosntt Netwcck loadin) acera inhountiarennla/tiotnia tinni 


EE ee) ee 


FIGURE 1-22 Assignable scopes selection while creating custom role 


Newly created custom roles can be accessed from the Roles tab (see Figure 1-23). Custom 
roles appear in the Azure portal with an orange resource icon. 


+ Add == Č) Refresh XX Remove D Got feedback? 


Check access Role assignments Deny assignments Classic administrators Roles 


A role definition is a collection of permissions. You can use the built-in roles or you can create your own custom roles. Learn more & 


Name © Type © 


virtual machine we 


Showing 5 of 168 roles 
go Name Type 
go n Classic Virtual Machine Contributor © BuiltinRole 


Virtual Machine Administrą BuiltinRole 


3 y e for Virtual Machine Operators 
Virtual Machine Contributd Sig ged ates BuiltinRole 


0O 
0O 
@ Virtual Machine Operaton) CustomRole 
O 


Virtual Machine User Login © BuiltinRole 


Orange resource icon 


FIGURE 1-23 Assignable scopes selection while creating custom role 


Alternatively, built-in roles can be cloned by selecting a role from the Roles tab. For 
example, you could select Virtual Machine Contributor, click the ellipsis (...), and then click 
Clone (see Figure 1-24). 
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F Add T} Retresn XK Remove Gor feedback? 


Check access Role assignments Deny assignments Classic sdministrators Roles 
A role definition is a collection of permissions. You can use the bult-in reles or you can create your owm custam roles. |a 


Name Type 


virtual machine v 


Shoning 4 ef 167 rolws 


Name Type Users Groups Service Principals 
Šp Classic Virtual Machine Coreritutor BuiltinFoote 0 
S Virtual Machine Adeninvstrator Login BuiltinRoie 0 
E Virwai machine Contributor © BuittinRote o o 
2. 1 Machine Us in ni 
Šp Virtual Machine User Logi BuiltinFiote 0 


FIGURE 1-24 Cloning a role 


IMPORTANT REQUIRED PERMISSION TO CREATE A CUSTOM ROLE 


To create a custom role, you must have the Microsoft. Authorization/roleDefinitions/write 
permission on all AssignableScopes. 


You can also create custom role by choosing Start From Scratch from the Baseline 
Permissions. This option could be time consuming because you might need to select all the 
permissions, one-by-one, to create a custom role from scratch. 


Similarly, custom roles can be defined using a JSON (JavaScript Object Notation) file by 
selecting Start From JSON under Baseline Permissions. The JSON file contains the role 
definitions: 


m A name represented by the Name attribute. 
m An identifier represented by the Id attribute. 
= Adescription represented by the Description attribute. 


m A flag that denotes if the role is custom or built-in represented by the IsCustom attribute, 
which is set to false for built-in roles; this should be set to true when authoring custom 
roles. 


m The actions that can or cannot be performed within the Azure management plane are 
represented by the Actions[] and NotActions[] attributes, respectively. 


= Optionally, the scopes at which the role is available through the AssignableScopes[] 
attribute. 


Interpret access assignments 


To manage access (role) assignments, you can use the Azure portal, the Azure CLI, Azure 
PowerShell, Azure SDKs, or the Resource Manager REST APIs. In the following section, we walk 
through how to manage role assignments using the Azure portal. 
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In the Azure portal, the Access Control (IAM) blade is used to manage access to resources, 
and it is where role assignments are applied or removed. The Access Control (IAM) blade is 
available at any scope where role assignments can be made (management group, subscription, 
resource group, and resource). To find the Access Control (IAM) blade, navigate to the resource 
or service where you want to manage role assignments. 


In the following example, the Virtual Machine Contributor built-in role will be assigned to a 
user at the resource group scope. 


In the Azure portal, navigate to a resource group by selecting Resource Groups in the left 
navigation pane, selecting a resource group from the Resource Groups pane, and then select- 
ing the Access Control (IAM) blade. 


From the Access control (IAM) blade, you can 


= Check the effective access rights for a security principal at the current scope through the 
Check Access tab, including being able to view access rights inheritance from a parent 
scope 


= Edit role assignments, both granting and revoking access rights through the Role 
Assignments tab 


m View deny assignments, which are controlled by Microsoft, through the Deny 
Assignments tab 


m View and manage permissions to classic resources through the Classic 
Administrators tab 


m View the available roles, both built-in and custom, through the Roles tab 


IMPORTANT DENY ASSIGNMENTS IN THE IAM BLADES 


The Deny Assignments tab of the Access Control (IAM) blade cannot be used to make or 
alter deny assignments. Deny assignments are set and controlled by applying a resource lock 
for resources created through Azure Blueprints. 


To create a role assignment, navigate to the Role Assignments tab and click Add, as shown 
in Figure 1-25. 


Ra ExamRefRg | Access control (IAM) 


© Search (Ctri+ + Add \ Download role assignments ©) Refresh 
©) Overview 
Check access Role assignments Roles Deny assignments Classic administrators 
E Activity log a 
Po Access control (IAM) Number of role assignments for this subscription 
@ Tags 12 2000 
$ Events 
Name © Type © Role ( 
Settings Search by name or email All Vv 3 selected 


FIGURE 1-25 Role Assignments tab on the Access Control (IAM) blade 
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After clicking Add, select Add Role Assignment, as shown in Figure 1-26. 


+ Add J Download role assi 
Add role assignment 


Add co-administrator 


| Add custom role 
i 


FIGURE 1-26 Add Role Assignment 


On the Add Role Assignment blade, select the role and from the Assign Access To drop- 
down menu, select the security principal you want to assign the role to. The Select drop-down 


menu can be used to filter users, groups, or service principals found in the Azure AD tenant 


associated with the Azure subscription. Click Save when you are done. Figure 1-27 shows an 
example where the user, cloudadmin@opsgility.onmicrosoft.com, is being granted access to 
the Virtual Machine Contributor role. In the example directory, two security principals were 
returned from the filtered list using the search term “cloud”—(CloudynAzureCollector and 


Cloud Administrator). A single principal (Cloud Administrator) was selected (displayed under 
Selected Members) to apply to the Virtual Machine Contributor role assignment. 


Add role assignment 


Role © 


Virtual Machine Contributor © 


Assign access to © 


Azure AD user, group, or service principal 


Select í 


harshul 


ww } Harshul Patel 


Selected members: 


FIGURE 1-27 Add Role Assignment blade 


CIE Administrator 


harshulp_outlook.com#EXT#@MSP13... Remove 


x 


Ski 
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After clicking Save, you will see the role assignment on the Role Assignments blade.To 
remove a role assignment, from the Role Assignments tab, select one or more security princi- 
pals and click Remove. An example is shown in Figure 1-28. 


An, ExamRefRg | Access control (IAM) 


Grog iy 


Conmtanser 


# 
FIGURE 1-28 Remove a role assignment 


Skill 1.3: Manage subscriptions and governance 


An Azure subscription, which forms the core of an Azure environment, is a foundational com- 
ponent of every Azure implementation. Every resource that you create in Azure resides in an 
Azure subscription, which is a billing boundary for Azure resources with per-resource, role- 
based access controls. 


As you build and deploy services in Azure, you will create many types of resources. For 
instance, when creating your first virtual machine, you will also deploy many other resources 
including 


m A disk for the OS 

m A network interface for the VM 

= Avirtual network and subnet for that network interface to bind to 
m A network security group (in a default portal configuration) 


It is important to understand that many services in Azure create multiple resources, and 
how you manage those resources will be driven by organizational Policy and the lifecycle of 
your infrastructure hosted in Azure. 


28 Manage Azure identities and governance 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


This skill covers: 
= Configure Azure Policies 
= Configure resource locks 
m Apply and manage tags on resources 
m Create and manage resource groups 
m Manage Azure Subscriptions 
= Configure management groups 


= Configure cost management 


A resource in Azure is a single service instance, which can be a virtual machine, a virtual 
network, a storage account, or any other Azure service (see Figure 1-29). 


FIGURE 1-29 Azure resource 


Resource groups are logical groupings of resources or those single-service instances 
(Figure 1-30). 


É Resource 


7 
by g Resource 


FIGURE 1-30 Azure hierarchy 
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Using a multiple virtual machine instances, you can group the instances and manage them 
as one unit. Each resource in Azure can only exist in one resource group, and resource groups 
cannot be renamed. There are no limitations to the types of resources that can be logically 
contained within a resource group, and there are no limitations on the regions in which 
resources must reside when in a resource group. 


Figure 1-31 shows this hierarchy with an Azure subscription, multiple resource groups, and 
the resources that reside within those resource groups. 


ZA Azure 
` Subscription 


SA Resource LA Resource 
lug Group (QQ) croup 
` 7 N 7 


—— m 
sie sis 
‘f- Azure App Virtual Azure SQL ‘> Azure App 
g 7 Service Machine p- Database T 7 Service 
JL w JL 


FIGURE 1-31 Azure hierarchy 


Configure Azure policies 


Azure Policy is an Azure service that can be used to create, assign, and manage policies that 
enforce governance in your Azure environment. This includes the application of rules that 
allow or deny a given resource type, apply tags automatically, and even enforce data sover- 
eignty. Azure RBAC and Azure Policy are often used in combination. Where Azure RBAC con- 
trols individual user access, group access, and rights to your Azure environments at a specific 
scope, Azure Policy provides a mechanism to express how the environment is governed for all 
users at a specified scope regardless of any RBAC assignments. Another way to state this is that 
Azure RBAC is a default deny mechanism with an explicit allow mechanism, whereas Policy is a 
default allow mechanism with an explicit deny system. 


To implement Policy, a Policy definition must first be authored. That Policy definition is then 
assigned a specific scope using a Policy assignment. Recall that scope refers to what your policy is 
assigned to with valid scopes, a management group, a subscription, a resource group, or a resource. 


Policy definitions can also be packaged using initiative definitions and applied to a scope 
using initiative assignments. Policy and initiative definitions both support parameter sets, 
which help simplify the re-use of a Policy at multiple scopes. 


A Policy definition describes your desired behavior for Azure resources at the time 
resources are created or updated. Through a Policy definition, you declare what resources 
and resource features are considered compliant within your Azure environment and what 
should happen when a resource is non-compliant. For example, you can create a Policy that 
states that resources can only be created in the East US and West US regions for an entire 
subscription. If a user attempts to create a resource in East US, Azure Policy can deny the 
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creation of the resource because it does not meet the stated compliance goal for allowed 
regions. In this example, Policy is used to deny the creation of a resource and to enforce 
organizational standards. As we further explore Policy, you will learn that Policy can be used 


as not just a deny mechanism, but it also can be used as an auditing and creation mechanism. 


Policy definitions are authored in JSON. The schema for Azure Policy can be downloaded 
from https://schema.management.azure.com/schemas/2019-06-01/PolicyDefinition.json. A 
Policy definition contains these elements: 


Mode 

Parameters 

Display Name 
Description 

Policy Rule 

m Logical Evaluation 


m Effect 


NOTE POLICY DEFINITION 


While you do not need to memorize the schema, it is worthwhile to understand the elements 


of a Policy definition and how to build your own policies from a blank template when neces- 


sary. Microsoft offers a number of built-in Policy definitions and maintains a repository of 


samples at https://docs.microsoft.com/en-us/azure/governance/Policy/samples/ and 


https://github.com/Azure/azure-Policy. 


Policy definitions can be created through the Azure portal by browsing to the Policy service 
at All Services and then choosing Policy > Definitions. From this blade, you can manage 
both built-in policies and any custom policies that you create. Figure 1-32 shows a list of the 
built-in policies for selected subscription. 


Visual Studio Ultimate with M 


Definition type Tyre Category Search 


th Definision location Te Policies te Type Ty Definition type 4 Category 


FIGURE 1-32 Azure built-in policies 
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Keep in mind that Policy can also be managed and applied at the management group 
scope. By associating policies with management groups, Policy definitions and Policy assign- 
ments can be shared across multiple subscriptions. This includes the ability to monitor multiple 
subscriptions for compliance. It also allows you to secure the management of organization- 
wide Policy at a level above a single subscription. 


When managing resource groups—and in many cases the multiple Azure services that 
reside within them— Azure Policy with Policy definitions and Policy assignments can be used 
to govern those resources. Initiative definitions and initiative assignments can be used to 
govern those same resources, but instead of applying multiple Policy definitions and making 
multiple Policy assignments, you can package or group multiple definitions into a single initia- 
tive and then assign that initiative to your desired scope. 

Controlling resource groups with Azure Policy is done by scoping the assignment of Policy 
and initiatives. Recall that Azure Policy supports multiple scopes: 

= Management group. Assignments scoped at the management group (either the Ten- 
ant Root Group or a child group) apply to all child resources in the management group 
including child management groups, all subscriptions, resource groups, and resources. 

= Subscription. Assignments scoped to a subscription apply to all child resources in the 
subscription resource groups and resources. 

= Resource group. Assignments scoped to a resource group apply to all child resources 
in the resource group. 

When creating assignments, it is also possible to configure excluded scopes. You always 
have the ability to exclude a subscope. For example, when scoping an assignment to a man- 
agement group, any subscriptions, resource groups, or even resources that are children of the 
management group, can be excluded. When scoping an assignment to a subscription, child 
resource groups and resources can be excluded. When scoping an assignment to a resource 
group, only child resources can be excluded. 

The flexibility of Policy scoping is a powerful feature of Azure Policy. This allows you to 
model your environments with rich declarations in the form of Policy definitions that are 
applied exactly as required by your organization's governance needs. 

Imagine you have an environment with the following requirements: 

m All resources should be tagged with the tag "Environment" and the value "Dev/Test". 


m Only A-Series and D-Services virtual machines can be created, specifically Standard AO, 
A1, and D2 virtual machines that are not promotional. 


m Resources in the rgCoreNetwork resource group are exempt from these policies. 


To model this environment with Azure Policy, you can create two Policy definitions (or use 
built-in Policy definitions where applicable), as shown in Table 1-2. 
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TABLE 1-2 Azure Policy definitions example 


Policy Field Policy Effect Description 
Type Deny Do not create virtual machines if they are not in the 
A-Series or D-Series SKU 


tags Append Append tag name “Environment” and tag value “Dev/ 
Test” to all resources 


In the Azure portal, browse to the Policy service and select the Definitions blade. To 
reduce administrative overhead, a new initiative definition will be created. Initiative definitions 
are a collection of Policy definitions that are focused on the same goal. They allow for a set of 
policies to be grouped as a single item. 


From the Definitions blade, select +Initiative Definition, as shown in Figure 1-33. 


Home > Policy | Definitions 


[o] Policy | Definitions 


Search (Ctri+/) « + Initiative definition | ++ Policy definition Ç) Refresh 


Scope Definition typ 
| Visual Studio Ultimate with M... ] E All definition 


© Overview 


B Getting started 


u Join Preview Name N 


[à Compliance á Audit Windows VMs in which the Administrators group ... 


@ Remediation á [Preview]: Audit Windows VMs on which the Log Analyti. 

Authoring á [Preview]: Audit 1RS1075 September 2016 controls and .. 

. Assignments á Audit Windows VMs in which the Administrators group ... 
Definitions tm [Preview]: Audit CIS Microsoft Azure Foundations Bench.. 


Related Servi tm Enable Monitoring in Azure Security Center 
elated Services 


= i te Audit Windows VMs that do not have the specified appl 
k Blueprints (preview) 


n á [Preview]: Audit Australian Government ISM PROTECTE.. 
e Resource Graph 


n á [Preview]: Audit UK OFFICIAL and UK NHS controls and 
& User privacy 


á [Preview]: Audit SWIFT CSP-CSCF v2020 controls and de... 


á [Preview]: Audit VMs with insecure password security se... 


FIGURE 1-33 Azure Policy Definitions blade 


Skill 1.3: Manage subscriptions and governance CHAPTER 1 33 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Enter Dev/Test Compliance into the Name field, select the Definition Location, and 
choose Create New from the Category options . Type Custom in the Category field, as 
shown in Figure 1-34. 


Home > Policy | Definitions > Initiative definition 


Initiative definition 


New Initiative definition 


BASICS 


Definition location * 
Visual Studio Ultimate with MSDN A 


Name* © 
Dev/Test Compliance nF 


Description © 


This initiative collects the policies that apply to the Dev/Test environment. 


Category © 
© Create new O Use existing 


| Custom 


Initiative parameters © 


Parameter name Display name Type Allowed values 


FIGURE 1-34 Azure Policy Initiative Definition 


Add the following built-in policies to the definition and set the values as noted (see 
Figure 1-35): 
= Policy Name. Require a tag and its value on resources, and set the following values: 
m Tag Name. Environment 
m Tag Value. Dev/Test 


m Policy Name. Allowed virtual machine SKUs. And set the following values described 
below: 


m Allows SKUs. Standard_A1; Standard_A1_v2; Standard_A2; Standard_A2_v2; 
Standard_A3; Standard_A4 and Standard_A4_v2 
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Require a tag and its value on resources Enforces a required tag and its value. Does not apply to resource groups. Built-in Delete 


Parameter name Value(s) 
Tag Name © Set value wv || Environment 
Tag Value © Set value w || Dew/Test 
Allowed virtual machine size SKUs This policy enables you to specify a set of virtual machine size SKUs that your organization é.. Built-in Delete 
Parameter name Values) 
Allowed Size SKUs ( Set value V || 7 selected a] 


Initiative parameters | 


Parameter name Display name Type ~] Standard A1 = 


E standardar 
[_] Standard_A10 
B Standard_A11 
E stondard_a2 


E standard az v2 


| Standard_A2m_v2 


E standard a3 
E standard as 


E standard_a4 v2 


FIGURE 1-35 Azure Policy new initiative definition policies and parameters 


Click the Save button to save the definition so it can be used in an initiative assignment. 
Browse to the Assignments blade and select Assign Initiative (see Figure 1-36). 


Home > Policy | Assignments 


æ Policy | Assignments 


> Assign initiative | E> Assign poicy C) Refresh 


Scope Definition type Search Category 
= Overview 
Visual Studio Uttimate with MSDN | | All definition types v Fme 7 All categories 
Y Getting started 
F Join Preview Total Assignments Initiative Assignments Policy Assignments 
2 Compilare 
= . 

æ Remediation 
Authoring name TL Scope ty Type Ts Policies 
© Assignments # Allowed locaton Visual Studio Uhimate with MSDN Polky ' 

Definitions 
Related Services 


E Blueprints (preview) 


“J Resource Graph 


A User privacy 


FIGURE 1-36 Azure Policy Assignments blade 


To meet the environmental requirements, set the Scope of the assignment to the target 
subscription and configure the Exclusions to exclude the rgcoreNetwork resource group. 
Also, set the Initiative Definition to Dev/Test Compliance and set the Assignment Name to 
Dev/Test Compliance. Lastly, make sure Policy Enforcement is enabled (see Figure 1-37). Then 
click the Review + Create and click the Create button. 


Skill 1.3: Manage subscriptions and governance CHAPTER 1 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Home > Policy| Assignments > Assign initiative 


Assign initiative 


Basics Parameters Remediation Review + create 


Scope 
Scope Learn more about setting the scope * 


Visual Studio Ultimate with MSDN 


Exclusions 


Visual Studio Ultimate with MSDN/rgCoreNetwork E] 


Basics 
Initiative definition * 


Dev/Test Compliance * L- 


Assignment name * © 


Dev/Test Compliance 


Description 


Policy enforcement © 


( Enabled } Disabled 


Assigned by 
Harshul Patel 


FIGURE 1-37 Azure Policy Assign initiative blade 


After Policy definitions have been assigned, either through Policy assignments or initia- 
tive assignments, the effects of the Policy will be immediately applicable. Policy evaluation 
for compliance happens about once an hour, which means you might not be able to view the 
compliance state of a new assignment immediately. 


Compliance state can be viewed on the Compliance blade of the Azure Policy service. You 
can delete, edit, and duplicate the Policy assignment by right-clicking it on the Compliance 
blade, as shown in Figure 1-38. 
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à Policy | Compliance 


tè Mon-ceargare poicies 


FIGURE 1-38 Azure Policy Compliance blade 


Configure resource locks 


Azure resource locks (sometimes called management locks) are used to prevent the accidental 
deletion or modification of resources. There are two types of locks: 


m CanNotDelete. Locks prevent the deletion of a resource. A CanNotDelete lock only 
prevents deletion of a resource and does not impede the modification of a resource. 


= ReadOnly. Locks prevent users from modifying a resource, which includes updating 
or deleting a resource. 


Note that both types of resource locks allow for authorized users to read resources; 
resource locks apply across all users and roles, even custom and privileged roles. 


Resource locks, regardless of type, can be applied to the subscription, resource group, and 
resource scopes. When you apply a lock to a scope, the resources within that scope inherit the 
lock. This means that a lock applied to the resource group scope applies to all the resources in 
the resource group. Resource locks apply to all service instances and resources within a scope. 


Lock inheritance varies based on the type of lock that is applied. ReadOnly locks are inher- 
ited by child resources, while CanNotDelete locks are also inherited by child resources, but it 
has a side effect. If the CanNotDelete lock is applied to one of the resources in the resource 
group and you attempt to delete that resource group, it will fail. When you try to delete the 
resource group, the operation tries to delete all the underlying resources first and won't be 
able to delete the resource with CanNotDelete lock, hence the resource group deletion would 
also fail. 


Note that resource locks get applied to the management plane of Azure. This means 
resource locks don’t affect the resource’s own functionality; instead, they restrict the interac- 
tions with other Azure resources. For example, a ReadOnly lock applied to a Storage Account 
would prevent users from reading the access keys. If you attempt to read or modify the access 
keys, the operation will fail with a “Cannot access the data plane because of a read lock on the 
resource or its parent” error, as shown in Figure 1-39. 
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FIGURE 1-39 Read-only lock applied to Storage Account 


When creating locks, you should exercise caution because they can have unexpected 


results. Many operations appearing to be read operations require write access within the Azure 
management plane. For example, the same ReadOnly lock on a storage account would pre- 


vent users from creating new containers because the action requires write access. 


Once you have determined the type of lock you will apply based on your requirements, 
you can apply the lock through the Azure portal, Azure PowerShell, the Azure CLI, Resource 


Manager templates, or the REST API. 


To create a lock through the Azure portal, browse to the desired scope and select the Locks 
blade. From the blade, select +Add to create a new lock. Give the lock a Lock Name, select the 


Lock Type, and describe the lock in the Notes field, as shown in Figure 1-40. 


} Add & Resource group Â Subscription 


Add lock 
Lock name Lock type 
StorageAccountLock Read-only 


Notes 


Prevent changes to the storage account 


FIGURE 1-40 Creating a lock 


Apply and manage tags on resources 


Resource tags allow you to apply custom metadata to your Azure resources to logically orga- 
nize them and to build out custom taxonomies. A tag is a name and a value pair. For example, 
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as you deploy resources in Azure, you want to track the environment the resource is associ- 
ated with. To do this, you can create a tag called Environment and the value Production for all 
resources in production. For downstream environments such as development or test environ- 
ments, you can use the same Environment tag with the Dev/Test value. Common tags include 
the environment with which a resource is associated, a cost center or billing code, and resource 
owner. 


As tags are applied, you can query the resources in your subscription using your tags, and 
you can even do this across resource groups. This allows you to understand related resources 
across resource groups for both billing and management. Tags are also included in the billing 
data for Azure EA subscriptions through the EA Portal and for non-EA subscriptions through 
the Account Portal at https: //account.azure.com/subscriptions. Billing exports give clear line 
of sight for chargeback to understand resource usage and cost. Figure 1-41 shows an example 
of an export with resource tags from an Azure EA subscription. 


PublisherTy » ChargeTy ~ ServiceName ~ ServiceTier Meter ~ PartNumk ~ CostUSD 

azure usage storage premium ssd managed p10 disks 10.74028 
azure usage storage standard page blob disk read operations 97.18897 
azure usage storage standard page blob disk write operations 889.7980: 
azure usage storage tables batch write operations 9.992536 


FIGURE 1-41 Azure detailed usage export 


NOTE TAGS AND USAGE REPORTS 


Tags must be applied at the resource scope to be visible in detailed usage exports. Tags 
applied at the resource group scope are not inherited by child resources. This means that 
as you are applying tags to your resources in Azure, you should think about applying tags 
to each resource to have the clearest line of sight into your usage based on your organiza- 
tional tags. 


When planning for resource tags, any taxonomy should include a strategy for both on- 
demand (or self-service) tagging and automatic tagging through Azure Policy. In the “Config- 
ure Azure policies” section, you learned how to automatically apply tags using Azure Policy. In 
this section, you will learn how to create tags and manually apply them to resources. 


As you plan your tagging taxonomy, be mindful of the limitations of tags in Azure, as 
detailed in Table 1-3. 


TABLE 1-3 Azure Tag Limitations 


Tag Limit Notes 


Resource support = Notall resource types support tags. This means that you will not be 
able to apply tags to everything in Azure. For example, manage- 
ment groups and generalized VMs don't support tags. Refer to this 
link: https://docs.microsoft.com/azure/azure-resource-manager/ 
management/tag-support. 


Skill 1.3: Manage subscriptions and governance 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


39 


40 


Tag Limit 


Number of tags 


Tag name 


Tag value 


Virtual machine tags 


Tag inheritance 


Classic resources 


Illegal characters 


Notes 


Resources, resource groups, and subscriptions are limited to 
50 tags. Each resource can have different tags. 


Tag names cannot exceed 512 characters. For storage accounts, tag 
names are limited to 128 characters. 


Tag values cannot exceed 256 characters. 


VMs cannot exceed 2048 characters for all tag names and values 
combined. 


Tags are not inherited by child resources. Tags applied to a resource 
group are not applied to resources in that resource group. 


Tags cannot be applied to classic resources and are only available 
for resources created in the Azure Resource Manager model. 


Tag names cannot contain the following characters: <, >, %, & \, ?,/ 


To apply tags to a subscription, resource group, or resource, the user applying the tag must 
have write access to the resource (Contributor role or higher access). 


Tags can be created and applied to Azure resources through 


m The Azure portal 
= Azure PowerShell 
m The Azure CLI 


m Resource Manager templates 


m Resource Manager REST API 


This means tags can be applied both in an imperative manner and declaratively through 
Resource Manager templates. While this can be done through the Azure portal, PowerShell, the 
CLI, or Resource Manager, templates are better suited when this is being done as resources are 
created because you don’t want to perform this manually for each resource after deployment. 


Tags can be applied at the subscription, resource group, and/or the resource level. Note 
again that there is no inheritance for tags. If you need a tag to be applied to all resources ina 
resource group, each resource must be tagged individually. 


You can apply new tags to resources by using these PowerShell commands: 


$tags = @{"Environment"="Production"; "Application"="ABC123"} 
$resource = Get-AzResource -Name prodServer -ResourceGroup prodRG 
New-AzTag -Resourceld $resource.id -Tag $tags 


Alternatively, you can use the az tag create Azure CLI command to create new tags. Also, 
you can update tags by using the following PowerShell commands: 


$tags = @{"Environment"="Non-Production"; "Application"="ABC123"} 
$resource = Get-AzResource -Name prodServer -ResourceGroup prodRG 
Update-AzTag -Resourceld $resource.id -Tag $tags -Operation Replace 


If you use the -Operation parameter with Update-AzTag command, it supports three values: 


m Replace Replaces the specified tags in the listed resources 
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m Merge Merges the newly specified tags with the existing ones and overrides the 
conflicts for the listed resources 


m Delete Deletes the specified tags from the listed resources 


Alternatively, you can use az tag update Azure CLI command to create new tags. 


Create and manage resource groups 


When creating resource groups, it is important that you consider factors such as a single 
resource being associated with only one resource group at a time and the following: 


m A resource group cannot be nested in another resource group. 

m You can add or remove a resource from a resource group at any time. 

m You can move a resource from one resource group to another. 

m A resource group can be used to scope access control. 

m A resource group can be used to scope Policy. 

m A resource in a resource group can interact with resources in another resource group. 


m A resource group is created in a location. The location of a resource group specifies 
where the metadata for the resource group is stored. If you have compliance con- 
straints, this is an important consideration. 


m Microsoft recommends that all resources in a resource group share the same lifecycle. 


m Itis not mandatory to have all Azure resources belong to a resource group. Resources 
deployed to a subscription, tenant, or management group exist outside of resource 
groups. 

Creating a resource group through Azure portal can be an easier task. You just need region 
or location details along with a valid resource group name (See Figure 1-42). Optionally, you 
can also apply tags to the resource group explicitly. 


Home Resource groups > Create a resource group 


Create a resource group 


Basics Tags Review + create 


Resource group - A container that holds related resources for an Azure solution. The resource group can include all the 
resources for the solution, or only those resources that you want to manage as a group. You decide how you want to 
allocate resources to resource groups based on what makes the most sense for your organization. Learn more Z 


Project details 


Subscription * © | Visual Studio Ultimate with MSDN v | 
Resource group * © ExamRefRG di 


Resource details 


Region* © | (US) East US ¥ | 


FIGURE 1-42 Creating a resource group 
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Move resources across resource groups 


Some resources in Azure can be moved between resource groups and even across subscrip- 
tions, but support for move operations varies based on the service. A reference of services that 
can be moved can be found at https://docs.microsoft.com/azure/azure-resource-manager/ 
move-support-resources. In Figure 1-43, the VM in Resource Group 2 can be moved into 
Resource Group 1, and it can also be moved across subscriptions into the resource group in 
Subscription 2. 


IMPORTANT MOVE OPERATIONS 


Even if a resource states that it supports move operations, there can be other factors 
that prevent the resource from moving. To find out move operation support for Azure 
resources, see https://docs.microsoft.com/azure/azure-resource-manager/management/ 
move-support-resources. 


Resource Group Resource Group 1 Resource Group 2 


Subscription 2 Subscription 1 


FIGURE 1-43 Moving resources diagram 


During a move operation, your resources will be locked. Both write and delete operations 
to the Azure resource will be blocked, but the underlying service will continue to function. For 
example, if you move an Azure App Service, the service will continue to serve web requests to 
visitors. It can take up to four hours for a move operation to complete. If the move operation 
fails within the four-hour window, resource manager will reattempt the move operation. 


To move resources between subscriptions, both subscriptions must be associated with the 
same Azure AD tenant. If the subscriptions do not belong to the same tenant, you can update 
the target subscription to use the source Azure AD tenant by transferring ownership of the 
subscription to another account. Note that this operation can have unexpected effects because 
the Azure AD tenant associated with a subscription is used for RBAC to any currently deployed 
Azure services. 


MOREINFO TRANSFER SUBSCRIPTION OR POINT TO NEW AZURE AD TENANT 


To transfer ownership of an Azure subscription to another account, see https://docs.microsoft. 
com/azure/cost-management-billing/manage/billing-subscription-transfer. Also, to add 
an Azure subscription to a new Azure AD tenant, see https://docs.microsoft.com/azure/ 
active-directory/fundamentals/active-directory-how-subscriptions-associated-directory. 
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When moving resources between subscriptions, the resource provider of the source resource 
must also be registered in the target subscription. This is not a concern when moving resources 
within the same subscription because the resource provider will already be registered. 


If you are moving resources between subscriptions, you must also be mindful of resource 
quotas. For example, if you are moving many virtual machines, you will need to make sure that 
the target subscription has enough vCPUs available or the move operation will fail. Make sure 
you validate any quotas prior to moving a resource. 


Finally, there are limitations in Azure Resource Manager that affect the number of resources 
you can move in a single operation. A single move operation in Resource Manager cannot 
move more than 800 resources. With this constraint, it is recommended that you break large 
operations into smaller batches. Note that even if you are moving less than 800 resources in a 
single move request, the operation may still fail by timing out. 


If the resource you are moving has any dependent resources, the resources must all be 
located within the same resource group, and they must all be moved together. 


Once you have met the stated prerequisites to a move operation, you are ready to perform 
the move operation. You can move the resources with the Azure portal, Azure PowerShell, the 
Azure CLI, or the REST API. Note that Azure performs basic validation before performing the 
actual move operation, irrespective of the method being used. Additionally, you can validate 
the move operation through the REST API with the validateMoveResources method without 
actually performing the move operation. This API validates whether resources can be moved 
from one resource group to another resource group. If validation succeeds, an HTTP 204 will 
be returned, and if it fails, an HTTP 409 with an error message will be returned in the response. 
This method can be called with a POST request to: 


https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/ 
{sourceResourceGroupName}/validateMoveResources?api-version=2018-05-01 


In a POST request, include a request body with "resources" and "targetResourceGroup" 
properties: 


{ 
“resources”: [“<resource-id-1>”, “<resource-id-2>”"], 
“targetResourceGroup”: “/subscriptions/<subscription-id>/resourceGroups/<target-group>” 


} 


If the request is properly formatted, the operation will return output like the following: 


Response Code: 202 

cache-control: no-cache 

pragma: no-cache 

expires: -1 

location: https://management.azure.com/subscriptions/<subscription-id>/ 
operationresults/<operation-id>?api-version=2018-02-01 

retry-after: 15 
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The HTTP 202 response code shows the request was accepted. The location URI can be used 
in an HTTP GET that you can use to check the status of the long-running operation for the final 
HTTP 204 or HTTP 409 status code. Figure 1-44 shows the output of an operation to validate a 
move request for an Azure Automation account associated with a Log Analytics workspace. As 
expected, the validation operation returned an HTTP 409 because this move request cannot be 
executed. 


FIGURE 1-44 ValidateMoveResources API Response 


To use the Azure portal, browse to the resource group containing the resources, select the 
Move button, and choose Move To Another Resource Group or Move To Another Sub- 
scription, as shown in Figure 1-45. 


» ExamRefRg > 


A insentiats 


FIGURE 1-45 Move button in the Azure portal 


You can now select the resources to move and select the destination resource group. Note 
that you must acknowledge that you might need to update existing tools or scripts to account 
for the changes in resource IDs (see Figure 1-46). 
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I understand that tools and scripts associated with moved resources will not work until | update them to use new resource IDs 


FIGURE 1-46 Move Resources blade 


Remove resource groups 


In Azure, you can delete individual resources in a resource group, or you can delete a resource 
group and all its resources. Deleting a resource group removes all the resources contained 
within it in one operation. When deleting resource groups, exercise caution because the 
resource group might contain resources that other resources you have deployed depend on. 
For example, if you attempt to delete a storage account that is used by an application to store 
application data, the Azure platform will not recognize that dependency and will allow the 
storage account to be deleted. 

For resources that has dependent resources, you will not be able to delete the target 
resource until the dependencies have been cleared. For example, to delete a resource group 
that contains an App Service plan, you must first remove or disassociate any App Services that 
depend on that plan. An example of attempting to delete an App Service plan with existing 
App Service associations is shown in Figure 1-47. 
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FIGURE 1-47 Delete an Azure resource with dependencies 


To delete a resource group, you can use the Azure portal, Azure PowerShell, the Azure CLI, 
or the REST API. 


To delete a resource group in the Azure portal, browse to the resource group and click the 
Delete Resource Group button (see Figure 1-48). 


(oq ExamRefRg 2 


Soch (Cite + Add == Edincolumns [© Dele resource group C) aee —> Mowe b Export te Cs¥ "S Open query 


ty Add fiter 


S Quickstart Name ¢ Type t4 
Deployments 
L Deployene Storage account 


D Policies 


I Properties 


FIGURE 1-48 Delete Resource Group 


In the Are You Sure You Want To Delete [“resource group name”]? dialog box that 
opens, you will need to type the resource group name to confirm that you want to delete it. 
As shown in Figure 1-49, the blade will also show the affected resources and warn you that the 
operation is irreversible. 


(9) Are you sure you want to delete "ExamR... x 


about to take can't be undone. Going further will delete this resource group and all 


À Warning! Deleting the "ExamRefRg” resource group is irreversible. The action you're 
the resources in it permanently. 


TYPE THE RESOURCE GROUP NAME; 
ExamRefRg y 


AFFECTED RESOURCES 
There are 1 resources in this resource group that will be deleted. 


Name Type Location 


= test342345325 Storage account East US 


FIGURE 1-49 Azure resource group deletion confirmation 
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Selecting Delete will begin deleting resources immediately. Note that it can take several 
minutes for a resource group to be deleted because each resource is deleted individually. 


Manage Azure Subscriptions 


Azure subscriptions have controls available that govern access to the resources within a sub- 
scription, govern cost through quotas and tagging, and govern the resources that are allowed 
in an environment with Azure Policy. 


As discussed earlier, a subscription is a logical unit of Azure services linked to an Azure 
account, which is an identity in Azure Active Directory (Azure AD). Azure AD is an identity 
provider for Azure and provides authentication to resources in an Azure subscription. The 
resources themselves then have role-based access controls applied to them that provide 
authorization to the resources (see Figure 1-50). 


Users, 
groups, and service — Azure resources in 
principles Authentication resource groups 


Azure Active Directory & Authorization 


Azure Subscription(s) 


FIGURE 1-50 Azure AD and Azure Subscription relationship 


There are multiple ways to obtain an Azure subscription, and a wide range of subscription 
types (or offers). Some common types include the following: 


m Free trial 

m Pay-As-You-Go/Web Direct 

m Visual Studio/MSDN subscriptions 
= Microsoft Resellers 

m Cloud Solution Provider 

m Microsoft Open Licensing 

= Enterprise Agreements 


The capabilities of each subscription are similar in that each subscription type allows you 
to create and manage resources. Some subscription types have restrictions on supported 
resource types and locations. For example, Visual Studio subscriptions typically do not have a 
credit card associated with them, which prevents you from purchasing services from the Azure 
Marketplace, such as network virtual appliances. Visual Studio subscriptions for Azure only 
have access to a limited number of Azure regions. The regional restrictions for each offer can 
be viewed at https://azure.microsoft.com/regions/offers/. 


Assigning administrator permissions 


Azure has many different roles for managing access to Azure resources. These include classic 
subscription administrative roles like Account Administrator, Service Administrator, or Co- 
Administrator, as well as Azure role-based access controls (RBAC) that are available in Azure 
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Resource Manager (ARM). When managing access to Azure subscriptions and resources, it is 
recommended to use Azure RBAC roles whenever possible. 


MOREINFO ROLES AND RELATIONSHIPS 


To learn more about the correlation between classic subscription administrator 
roles, Azure RBAC roles, and Azure AD roles, see https://docs.microsoft.com/azure/ 
role-based-access-control/rbac-and-directory-admin-roles. 


Classic subscription administrators have full access to an Azure subscription. They can man- 
age resources through the Azure portal, Resource Manager APIs (including through Power- 
Shell and the CLI), and the classic deployment model APIs. 


By default, the account that is used to sign up for an Azure subscription is automatically set 
as both the Account Administrator and the Service Administrator. They both are authorized 
to perform subscription management activities, but access to Account Center and creation of 
new Azure subscriptions and billing changes can be performed only by Account Administrator. 
There can be only one Account Administrator per account and one Service Administrator per 
subscription. 


Once the subscription has been created, more Co-Administrators can be added. The Co- 
Administrator has the same level of access as the Service Administrator but cannot change the 
association of subscriptions to Azure directories. There can be up to 200 Co-Administrators per 
subscription. 


Users assigned with the Service Administrator and Co-Administrator roles have the same 
access as a user who is assigned the Azure RBAC Owner role at the subscription scope. 


In the Azure portal, you can view the current assignments for the Account Administrator 
and Service Administrator roles by browsing to a subscription in the Azure portal and selecting 
the Properties blade, as seen in Figure 1-51. 


| 4: 
| yt Visual Studio Ultimate with MSDN | Properties + 


? 
E EE EE E E E E B&B 


FIGURE 1-51 Azure subscription properties 
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Azure RBAC roles are more flexible than classic administrator roles and allow for more fine- 
grained access management. Azure RBAC has more than 70 built-in roles, but there are four 
foundational roles, as shown in Table 1-4. 


TABLE 1-4 Azure RBAC roles 


Azure RBAC role Permissions Notes 
Owner Æ Full access to all resources Ææ The Service Administrator and 
m Delegate access to others Co-Administrators are assigned the 
Owner role at the subscription scope. 
m= Applies to all resource types. 
Contributor ™ Create and manage all of types Œ Applies to all resource types. 


of Azure resources 
@ Cannot grant access to others 


Reader m View Azure resources m Applies to all resource types. 
User Access @ Manage user access to Azure 
Administrator resources 


Configure management groups 


Management groups can also be used to apply Azure RBAC to a subscription. Management 
groups allow you to apply governance consistently across subscriptions, including the applica- 
tion of common RBAC controls and the application of Azure Policy, as discussed later in this 
chapter. 


Management groups allow subscriptions to be organized in a multi-level hierarchy, provid- 
ing a number of tangible benefits: 


m Reduced overhead. There is no need to apply governance on every subscription. 


m Enforcement. Company admins can apply governance at the management group 
level, outside the control of the subscription admin and the controls implemented at the 
management group can be applied to both existing and new subscriptions. This elimi- 
nates inconsistencies in the application of governance as the same controls are applied 
the same way to the desired subscriptions. 


= Reporting. The Azure Policy provides reports of compliance; with management 
groups the reporting can span across multiple/all subscriptions in an organization. 


Management groups form a hierarchy that is up to six levels deep, excluding the root and 
subscription levels. Each group has exactly one parent group and can have multiple child 
groups. An example hierarchy is shown in Figure 1-52. In such a hierarchy, one common set of 
Policy could be applied at the root management group, which all child management groups 
and subscriptions would inherit. Then, as needed, those children can have additional controls 
applies. 
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rr ExamRef Root Group 
| 
| 


rr ExamRef Level 1 Group rr ExamRef Level 1 Group 


? EA Subscription ? Dev/Test Subscription 


FIGURE 1-52 Example Management group hierarchy 


There is a single root management group at the root of the hierarchy. This management 
group is associated with the Azure AD tenant that is then associated with an Azure subscrip- 
tion. It cannot be moved or deleted. Individual subscriptions, including new subscriptions, are 
added to a management group. 


Like RBAC, Azure Policy is also applied at a specific scope. The scope can be a subscription, a 
resource group, or an individual resource. For example, when Policy is applied at the subscrip- 
tion scope, it gets inherited to all the resource groups and resources in the subscription, as 


shown in Figure 1-53. 
4 Subscription 


(Wp) Resource Group 


G: Policy 
saN Resource 


[a] Resource 
[Se] 


FIGURE 1-53 Example Policy applied at the subscription scope 


Management groups introduce an additional scope above a subscription. When applied at 
the management group scope, each subscription under the management group inherits the 
RBAC and Policy assignments of the management group as shown in Figure 1-54. 
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FIGURE 1-54 Example Policy applied at the management group scope 


To add a role assignment to a management group, browse to the management groups 
service in the Azure portal. Select a management group and then click the Details button next 
to that group's name. Select the Access Control (IAM) blade and click Add Role Assignment, 
just as you would to an Azure subscription, as shown in Figure 1-55. 


Home > Esame 


fo ExamRefRG | Access control (IAM) 


H Add d| Download role assignments Got feedhiack 


2) Overvarw Add role asugnmeni 


ns Roes Denyassignments Classic administrators 


Add a role assignment View role assignments 


© Hierarchy setting: 


FIGURE 1-55 Access control (IAM) blade for an Azure management group 


IMPORTANT RBAC AND MANAGEMENT GROUPS 


RBAC applied at the management group level is inherited by all the child resources within the 
scope of the management group (subscriptions, resource groups, and resources). For instance, 
if you add a user as an Owner at the management group scope, that user will become an 
Owner in all the subscriptions associated with the management group. 
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Configure cost management 


In Azure, there are several types of quotas that are applicable to subscriptions, including 
resource quotas and spending quotas. With Azure resource quotas (or limits), Azure adminis- 
trators can view the current consumption and usage of resources within an Azure subscription 
and understand how that consumption can be affected by Azure resource limits. Administra- 
tors can also request quota increases for certain resource types. For instance, the number of 
cores available for virtual machines is limited to 20 per region by default. This limit can be 
increased by submitting a request to Microsoft support. 


There are also spending quotas in Azure. Spending quotas allow administrators to set alerts 
within an Azure subscription by configuring budgets to inform the business when their Azure 
spending has hit a certain threshold. While a resource limit can stop resources from being 
created (for example, there are not enough cores available to the subscription in the desired 
region), a spending quota acts as an alerting mechanism and does not stop resources from 
being created or consumed. While an alert can be generated from a spending quota, resources 
can still be created and consumed which could cause the spending quota to be exceeded. 


Tags in Azure Resource Manager allow consumers of Azure to logically categorize Azure 
resource groups and Azure resources. As resources are tagged, they can then be queried and 
tracked based on the associated tags. Tags are a crucial component to implement chargeback 
within an Azure subscription. For example, in organizations where an Azure subscription is 
shared by multiple business units or departments, there might be a need to understand how 
resources are used for individual departments and show the cost associated with each depart- 
ment, either to bill that department for their Azure consumption (chargeback) or to help that 
department understand their spend in Azure (showback). 


Configure resource quotas 


To view the existing resource quotas (or service limits) for your Azure subscription, browse to 
the Azure subscription in the Azure portal and select the Usage + Quotas blade. From this 
blade, you can view existing quotas by service, resource provider, and location. You also filter 
the list by resource types you have deployed. 


To increase a quota, click the Request Increase button, as shown in Figure 1-56. 


B areta Lact petcrrton he seers ari Wnt Lage o eenas per netecmeten P poe rem a tects Cah pms tan A ws <= 


1 reer t worn usp 


FIGURE 1-56 Azure subscription resource quotas 
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Clicking the Request Increase button will begin the process to open a new support 
request. As a part of the request, you must select the quota type (for example, Compute/VM 
cores or Machine Learning service) and provide a description of your request. 


IMPORTANT QUOTA INCREASE 


Submitting a request to increase a quota is only submitting a support request to Microsoft. 
Microsoft Support must respond to the request, and while most requests are granted, it is not 
guaranteed that a quota increase will be granted. 


The consumption of resources within a subscription against a resource quota can also be 
viewed with PowerShell. There are multiple cmdlets available in the Az (formerly AzureRm) Pow- 
erShell modules for querying per-service quota usage. For example, to view the current usage 
of vCPU quotas, use the Get-AzVMUsage, and to view the current resource usage for the storage 
service use Get-AzStorageUsage. 


EXAM TIP 


In this chapter and throughout the remaining reference, PowerShell cmdlets are refer- 
enced using the new Az module. You might see examples on the web and in other reference 
materials that refer to the AzureRm cmdlets. The Az module can use AzureRm aliases with the 
command Enable-AzureRmAlias for compatibility with existing scripts. See https://docs. 
microsoft.com/powershell/azure/overview?#about-the-new-az-module for more detail. 


Configure cost center quotas 


One of the key factors in managing an Azure subscription is being able to plan for and drive 
organizational accountability for Azure spend. One of the best ways to drive accountability is 
to make sure that the consumers of Azure resources understand their cost, including current 
usage and forecasting future spend based on current resource consumption. 


Budgets in Azure Cost Management provide Azure customers subscriptions under many 


offer types with the ability to proactively manage cost and monitor Azure spend over time at a 
subscription level. 


EXAM TIP 


The full list of supported accounts and offers for Azure Cost Management can be found at 
https://docs.microsoft.com/azure/cost-management/understand-cost-mgt-data. 


Budgets are a monitoring mechanism only with set thresholds and notification rules. When 
a budget threshold is exceeded a notification is triggered but resources continue to run. 

To use Budgets with an Azure subscription, that subscription must be a supported offer 
type as previously stated. Users must have at least read access (Reader rights) to a subscription 
to view budgets and must have Contributor (or higher) rights to create and manage budgets. 
There are also specialized roles that can be used to grant principals access to Cost Manage- 
ment data including Cost Management Contributor and Cost Management Reader. 
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To create a budget in the Azure portal, navigate to Cost Management + Billing and then 
click Cost Management. Select a subscription and then click Budgets. 


NOTE SUBSCRIPTION BUDGETS 


By default, you will be creating a budget at the subscription scope, but budgets can also be 
created at the management group as well as resource group scope if necessary. 


Click +Add and in the Create Budget blade, enter a budget Name and budget Amount. 
You can also change your desired scope by clicking Change scope option. Choose the Reset 
Period (monthly, quarterly, or annual) and an Expiration Date. Budgets require at least one 
Cost Threshold (percent of budget) and an email address for the alert recipient. Figure 1-57 
shows an example for a monthly budget for $10,000. 


vV Create a budget 2 Setalerts 


Create a budget and set alerts to help you monitor your costs. 


BUDGET SCOPING 


The budget you create will be assigned to the selected scope. Use additional filters like resource groups 
to have your budget monitor with more granularity as needed. 


Scope ? 


Change scope 


BillingPeriod : 0 selected @) ( +7 Add filter 


BUDGET DETAILS 


Give your budget a unique name. Select the time window it analyzes during each evaluation period, its 
expiration date and the amount. 


* Name | FY20 J 
* Reset period © | Billing month ka 


* Start date © 


~ 


* Expiration date © | 2022 v| | April wa | | " a 


BUDGET AMOUNT 


Give your budget amount threshold 


Amount (7) * | 10000 a 


© Suggested budget: 71,350 based on forecast. 


Previou Next > 


FIGURE 1-57 Azure budgets 
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Figure 1-58 shows a threshold set at 90 percent of the budget ($9,000). 


v Create a budget wv Set alerts 


Configure alert conditions and send email notifications based on your spend. 


* Alert conditions 


% Of budget Amount Action group Action group type 
2000 [None y] 

Enter % | - | None v | 
4 > 


Manage action group © 


* Alert recipients (email) 


Alert recipients (email) 


admin@examref.com v| E 


| example@email.com | 


It is recommended to add azure-noreply@microsoft.com to your email white list to ensure alert mails do 
not go to your spam folder. 


FIGURE 1-58 Azure budget alerts 


NOTE BUDGET ALERTS 


Budget alerts can also leverage the same Action Groups that Azure Monitor supports. Action 
groups are a collection of notification preferences and are discussed in detail in Chapter 5. 


After your budgets have been created, they can be viewed through the Budgets blade. 
When viewing the subscription scope, you will see the budgets for both the subscription and 
any resource group scoped budgets in a single view, as shown in Figure 1-59. 


+ Add C) Refresh Help 
Scope Vinual Studio Uhimats with MSDN earch by nw Alt periods v 
@ Budget evaluations now include reurved instance and purchase charges. To laam more, vait the budyrhi documentato 
Name Ty Scope Ty Resetperiod Ty Start date ‘End date ti Budget ti Evaluated spend t4 Progress t 
(00b72028-Sdce-472.._BillingMonth aprareeo 4/11/2022 10000 NA acon 


FIGURE 1-59 Azure budgets 
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Monitor and report spend 


While Azure Advisor and its cost recommendations provide one method for monitoring spend 
and unused resources, Azure has many other tools that can help you monitor the cost of your 
resources and report on that cost. 


There are several considerations that you must account for when reporting on the cost 
associated with your Azure resources: 


Azure services are available to customers in 140 countries worldwide. 
Billing is supported across 24 major currencies. 


Azure subscriptions are billed monthly. If you are paying by credit card, note that pre- 
paid cards and virtual credit cards are not accepted. 


You can also pay for Azure by monthly invoice. To apply for invoice payment, raise an 
appropriate billing support ticket from the Azure management portal. Processing the 
request takes 5-7 days, depending on the time required for the necessary credit checks. 
Invoice payment is only available to business customers, and once a subscription has been 
moved to invoice payment, it cannot be moved back to credit card payment. If you choose 
invoice payment, you will get an invoice, and you will pay with a wire transfer or check. 


Customers on an Enterprise Agreement (EA) can add up-front commitments to Azure 
and then create multiple subscriptions under the agreement, which draw from the mon- 
etary commitment. 


m EA commitments are billed immediately, and then consumed throughout the year 
against the Azure resources consumed. 


m Ifthe committed spend is exceeded, the extra spend, or “overage,” is billed at the 
same discounted EA rate. Billing for overage is annual if the overspend is under 
50 percent of the commitment, or quarterly if over 50 percent. 


Azure Marketplace third party services are billed separately with a potentially different 
billing period, separate invoice, and separate credit card charge. Each service has its own 
billing model, which will be described in the Azure portal at the time of purchase. These 
range from pay-as-you-go per-minute billing to fixed monthly charges. Some services 
also offer a “bring your own license” model, which must provide a license purchased 
separately prior to using the service. 


There are three portals that are used to manage Azure subscriptions that are relevant for 
billing and cost management. They are: 


The EA Portal available at https://ea.azure.com. This is available only to customers 

with an Enterprise Agreement and is used for managing spend across one or more 
subscriptions. 

The Account Portal at https://account.azure.com/subscriptions. This is available for all 
subscriptions and accessible by Account owners. It is used to manage subscriptions, pay- 
ment methods, and spending limits. 


The Azure portal at https://portal.azure.com. This is available for all subscriptions and 
includes Azure Cost Management. 
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The EA Portal can be used to monitor spend across multiple subscriptions with the ability to 
view costs by the entire organization or by the business unit. Organizations can view historical 
spending, broken out by commitment, and overage or third-party Azure Marketplace con- 
sumption (see Figure 1-60). They can also download their current price sheet to see their EA 
discount rates, which often differ from the public pricing shown in the Azure portal and in the 
pricing calculator. 


| $0.00 
| $0.00 
| $0.00 


| $0.00 


I$ 00 


rept: 


| $0. 00 


I< 00 


THF 


Charge by Service: 


$116.40 $575.01 


$7.20 


ft k k BE merih 


$36.06 


FIGURE 1-60 Azure EA Portal 


EA customers can create spending quotas and set notification thresholds through the EA 
Portal. This is in addition to the budget alerts available through Azure Cost Management and 
Billing Alerts found in the Account Portal. An advantage of using the EA portal to configure 
spending notifications is that a quota alert can be triggered based on aggregate spending 
across all the subscriptions within a department. Cost centers can be assigned to the depart- 
ments that accounts and subscriptions roll up to for EA customers, making it easier to track 
cost by business unit and operate a showback or chargeback model. 


Within the Azure portal, EA customers can also use Azure Cost Management for track- 
ing cost for individual subscriptions. Cost Management includes features for performing cost 
analysis, setting per-subscription budgets and alerts, setting recommendations for optimiza- 
tion, and exporting cost management data to perform deeper analysis. 
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Access to the Cost Management service is dictated by scopes. A user must have at least read 
access to one of the following scopes shown in Table 1-5 to view data in Cost Management. 


TABLE 1-5 Cost Management access scopes 


Scope Defined at Required access Prerequisite | Consolidates data to 
to view data EA setting 
Billing account | Attps://ea.azure.com Enterprise Admin None All subscriptions from the 
enterprise agreement 
Department https://ea.azure.com Department DA view All subscriptions belonging 
Admin charges to an enrollment account 
enabled that is linked to the 
department 
Enrollment https://ea.azure.com Account Owner AO view All subscriptions from the 
account charges enrollment account 
enabled 
Management https://portal.azure.com | Cost Management | AO view All subscriptions below the 
group Reader (or Reader) | charges management group 
enabled 
Subscription https://portal.azure.com | Cost Management | AO view All resources/resource 
Reader (or Reader) | charges groups in the subscription 
enabled 
Resource group | https://portal.azure.com | Cost Management | AO view All resources in the 
Reader (or Reader) | charges resource group 
enabled 


To access Cost Management, in the Azure portal browse to Cost Management + Billing 
and choose Cost Management. Finally, select Cost Analysis, as shown in Figure 1-61. 


(care ) Com Managertenl = Big > Cost Management: Viua Suso Utinate wih MGDN | Cost analy 


$ Cost Management: Sims Sie Ste a | Cost analysis ex 


Dsm F swa Dowe Ouh d ispo 


tee - ms 
ieee — =c- Accumveed coss ~ E 


à 2722.02. %1,306.92-  %10,000,. trp ly Worm ~—Grovalaty Accurvaaied * |g Area ¥ 
Cont Management 

h cont anayen 

O cout ats 

D Budgets 

S Attaner sorcrrevenctation 


æ chuip 


. Apese 
B Accuses oon €297.15 
© & T Foiss cost m 
pors ; 


D Connector tor MKS Preden) 


WAccurveties cont Forecast com 
Support + trounlestcotieg 
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FIGURE 1-61 Azure Cost Management Cost Analysis 
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If you have access to more than one scope, you can filter by scope and begin interacting 
with the data. From cost analysis, you can view the total costs for the current month, view 
the budget (if available), set the granularity (Accumulated, Daily, or Monthly), and apply the 
filters. You can filter by Department Name, Enrollment Account Name, Location, Meter, Meter 
Category, Meter Subcategory, Resource, Resource Group Name, Resource Type, Service Name, 
Service Tier, Subscription ID, Subscription Name, and Tag. 


The data in a view can be downloaded from Cost Analysis as a CSV. Any filtering that you 
have applied, including groupings, are applied to the file. 


Thought experiment 


In this thought experiment, apply what you have learned. You can find answers to these ques- 
tions in the next section. 


You are responsible for creating and tracking resources in Azure for two business units 
within your organization: HR and Marketing. Your organization has an Enterprise Agreement 
(EA). Each business unit needs to deploy its own resources. Your Finance department needs 
to be able to understand the consumption of resources for each business unit for chargeback 
purposes. Finance would also like to be able to receive a notification when a defined monetary 
threshold is reached for each business unit. 


The resources that each business unit will deploy are from a known set of resources and 
users should be prevented from creating unapproved resources. There will be resources within 
a subscription that are not billed back directly to the business units, but will be billed to IT. 
These resources must be differentiated for Finance. 


1. How will you ensure that users can only create approved resources in Azure? 


2. How will you grant access to create resources and restrict each business unit's users 
from impacting the other business units? 


3. How will Finance access billing data for Azure and how will they be able to tell where 
each cost is coming from? 


4. How will Finance be notified when each business unit is nearing their spending 
threshold? 


Thought experiment answers 


This section contains the solution to the thought experiment for the chapter. 


For each business unit, HR and Marketing, a separate subscription can be created. This will 
allow for the separation of resources by business unit and allow for segregated and aggregated 
cost reporting and monitoring for Finance through the EA Portal. 

1. To ensure users can only create approved resources, policies should be defined that can 
be assigned to each subscription. The policies will deny the creation of any unapproved 
resources and compliance can be monitored through Azure Policy as well. 
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2. 


Each business unit will be placed into its own subscription. Within a subscription, 
resource groups will be created, and users will be granted appropriate rights at the 
resource group level. As RBAC is inherited by child resources, with the appropriate 
rights granted, users will be able to create and manage resources as needed without 
impact others in the subscription. This will be layered with Azure Policy to ensure that 
only allowed resources can be created. This can be extended further by creating Azure 
Resource Manager templates, which can be used by business unit users to deploy their 
resources with well-known configurations. 


Alternatively, you can also use management groups to segregate the business units. You 
can still use RBAC to inherit the access subscription and child resources from a manage- 
ment group. 


Users in the Finance department can be granted access to the EA Portal and/or Cost Azure 
Cost Management by configuring access through the required scopes. To make sure 

that they can tell where each resource cost is coming from, tags should be applied to all 
resources using a taxonomy defined by Finance. For example, “BusinessUnit” can be a tag 
with the allowed values “HR,” “Marketing,” and “IT.” That taxonomy should be governed 
through Azure Policy to ensure that all resources are tagged with required and valid tags. 


To manage thresholds, Department quotas can be configured in the EA Portal. In addi- 
tion, Budgets can be created in Cost Management. Budgets in Cost Management can 
provide more flexibility has multiple notification thresholds can be set and each notifi- 
cation can have a different receiver. This would allow a single budget to send notifica- 
tions to both business unit owners and Finance. 


Chapter summary 


Here are some of the key takeaways from this chapter: 


Windows 10 can be added to Azure AD as a device to be managed, enabling BYOD or 
corporate cloud only deployments with Azure AD Join. 

Azure AD Join enables administrators to manage device identity independently of users. 
For example, dynamic security groups can be created based on device attributes and 
then conditional access policies could be applied to those groups. 

Downstream Windows clients can be managed through Azure AD using Azure AD 

hybrid join. 

Conditional access is a feature of Azure AD which allows administrators to control access 
to cloud applications through additional checks such as user location, the device the 
user is accessing the cloud app from, and more. 

Multiple Azure AD tenants can be created and managed through Azure. This includes 
creating new directories and deleting existing directories. 


Users and groups can be created through the Azure portal, Azure PowerShell, the Azure 
CLI, and the Graph API. 
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Users and groups can be managed in bulk with tools like PowerShell. 


Self-service password reset can be combined with the password writeback features of 
Azure AD Connect to allow users to reset their passwords from the cloud while adhering 
to on-premises password standards. 


Many advanced features of Azure AD require Azure AD Premium P1 or Azure AD 
Premium P2 licenses. When considering Azure AD features, administrators need to be 
aware of the licensing boundaries. 


Azure offers a rich ecosystem of governance controls with user-level and platform-level 
controls in the form of role-based access control (RBAC) and Azure Policy. 


Azure management groups can be used to control Policy and RBAC for multiple 
subscriptions. Management groups enable organizational alignment for your Azure 
subscriptions through custom hierarchies and groupings. 


Tags in Azure can be used to logically organize resources by categories. Each tag is a 
name and a value pair. Tags can be shared across multiple resources and enforced with 
Azure Policy. 


Azure Policy is a service that lets you create, manage, and apply Policy to Azure 
resources at a subscription, resource group, or resource level. Policies enforce different 
rules over your Azure resources, so those resources remain compliant with your organi- 
zation’s standards. 


Role-based access control allows you to grant users, groups, and service principals 
access to Azure resources at the subscription, resource group, or resource scopes with 
RBAC inheritance. The three core roles are Owner, Contributor, and Reader. 


You can create resources from the portal, PowerShell, the CLI tools, and Azure Resource 
Manager templates. You should understand when to use which tool and how to config- 
ure the resource during provisioning and after provisioning. 


A resource is simply a single service instance in Azure. Most services in Azure can be 
represented as a resource. For example, a Web App instance is a resource. An App Ser- 
vice Plan is also a resource. Even a SQL Database instance is a resource. 

A resource group is a logical grouping of resources. For example, a Resource Group 
where you deploy a VM compute instance may be composed of a Network Interface 
Card (NIC), a Virtual Machine, a Virtual Network, and a Public IP Address. 

A resource group template is a JSON file that allows you to declaratively describe a set 
of resources. These resources can then be added to a new or existing resource group. 
For example, a template can contain the configuration necessary to create two API App 
instances, a Mobile App instance, and a Document DB instance. 

A template can simplify orchestration because you only need to deploy the template to 
deploy all your resources. 

A template allows you to configure multiple resources simultaneously and use variables/ 
parameters/functions to create dependencies between resources. 
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Implement and manage 
storage 


Implementing and managing storage is one of the most important aspects of building or 
deploying a new solution using Azure. There are several services and features available for 
use, and each has its own place. Azure Storage is the underlying storage for most of the ser- 
vices in Azure. It provides service for the storage and retrieval of files, and it has services that 
are available for storing large volumes of data through tables. Also, Azure Storage includes 
a fast and reliable messaging service for application developers with queues. In this chapter, 
we review how to implement and manage storage with an emphasis on Azure Storage. 


Also, we discuss related services such as Import/Export, Azure Files, and many of the tools 
that simplify the management of these services. 


Skills covered in this chapter: 
m Skill 2.1: Secure Storage 
m Skill 2.2: Manage Storage 
m Skill 2.3: Configure Azure Files and Azure Blob Storage 


Skill 2.1: Secure Storage 


An Azure Storage account is an entity you create that is used to store Azure Storage data 
objects such as blobs, files, queues, tables, and disks. Data in an Azure Storage account is 
durable and highly available, secure, massively scalable, and accessible from anywhere in the 
world over HTTP or HTTPS. 


This section covers how to: 
m Configure network access to storage accounts 
m Create and configure storage accounts 
m Generate shared access signatures 
m Manage access keys 


= Configure Azure AD Authentication for a storage account 
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Configure network access to the storage accounts 


Storage accounts are managed through Azure Resource Manager. Management operations are 
authenticated and authorized using Azure Active Directory and RBAC. Each storage account 
service exposes its own endpoint used to manage the data in that storage service (blobs in 
Blob Storage, entities in tables, and so on). These service-specific endpoints are not exposed 
through Azure Resource Manager; instead, they are (by default) Internet-facing endpoints. 


Access to these Internet-facing storage endpoints must be secured, and Azure Storage pro- 
vides several ways to do so. In this section, we will review the network-level access controls: the 
storage firewall and service endpoints. We also discuss Blob Storage access levels. The follow- 
ing sections then describe the application-level controls: shared access signatures and access 
keys. In later sections, we also discuss Azure Storage replication and how to leverage Azure AD 
authentication for a storage account. 


Storage firewall 


The storage firewall allows you to limit access to specific IP addresses or an IP address range. It 
applies to all storage account services (blobs, tables, queues, and files). For example, by limiting 
access to the IP address range of your company, access from other locations will be blocked. 
Service endpoints are used to restrict access to specific subnets within an Azure VNet. 


To configure the storage firewall using the Azure portal, open the storage account blade 
and click Firewalls And Virtual Networks. Under All Access From, click Selected Networks 
to reveal the Firewall and Virtual Network settings, as shown in Figure 2-1. 


E sme X discard ©) Aefresh 


Allow 


+ © Selected networks 
© Configure network security for your storage accounts. Learn more 


Virtual networks 


Secure your storage account with virtu 
Virtual Network Subnet Address range Endpoint Status Resource Group Subscription 
~yrtuatNerwcre? 1 rgCareNetwork Visual Studio 


subewet W200/24 V Enabled 1gCareNetwore Visaal Studio 


ingemet or your cerpremises networks. Leo 


FIGURE 2-1 Configuring a storage account firewall and virtual network service endpoint access 


When accessing the storage account via the Internet, use the storage firewall to specify the 
Internet-facing source IP addresses (for example, 32.54.231.0/24, as shown in Figure 2-1) that 
will make the storage requests. All Internet traffic is denied, except the defined IP addresses 
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in the storage firewall. You can specify a list of either individual IPv4 addresses or IPv4 CIDR 
address ranges. (CIDR notation is explained in the chapter on Azure Networking.) 


The storage firewall includes an option to allow access from trusted Microsoft services. 
These services include Azure Backup, Azure Site Recovery, and Azure Networking. For exam- 
ple, it will allow access to storage for NSG flow logs if the Allow Trusted Microsoft Services 
To Access This Account exceptions checkbox is selected (see Figure 2-1). It will also allow 
read-only access to storage metrics and logs. 


NOTE ADDRESS SPACE FOR STORAGE FIREWALL 


When creating a storage firewall, you must use public Internet IP address space. You cannot 
use IPs in the private IP address space. 


Virtual network service endpoints 


In some scenarios, a storage account is only accessed from within an Azure virtual network. 

In this case, it is desirable from a security standpoint to block all Internet access. Configuring 
virtual network service endpoints for your Azure Storage accounts allows you to remove access 
from the public Internet and only allow traffic from a virtual network for improved security. 


Another benefit of using service endpoints is optimized routing. Service endpoints create 
a direct network route from the virtual network to the storage service. If forced tunneling is 
being used to force Internet traffic to your on-premises network or to another network appli- 
ance, requests to Azure Storage will follow that same route. By using service endpoints, you 
can use direct route to the storage account instead of the on-premises route, so no additional 
latency is incurred. 


Configuring service endpoints requires two steps. First, from the virtual network subnet, 
choose Microsoft.Storage from the Service Endpoints drop-down menu. This creates the 
route from the subnet to the storage service but does not restrict which storage account the 
virtual network can use. To update the subnet settings, you should choose virtualNetwork1 
from the Virtual Networks blade. Then go to Subnets in the left pane under Settings. Click 
Subnet? to access the subnet settings. Figure 2-2 shows the subnet settings, including the 
service endpoint configuration. 

The second step is to configure which virtual networks can access a particular storage 
account. From the storage account blade, click Firewalls And Virtual Networks. Under All 
Access From, click Selected Networks to reveal the Firewall and Virtual Network settings, 
as shown previously in Figure 2-1. Under Virtual Networks, select the virtual networks and 
subnets that should have access to this storage account. 
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Home > Virtual networks > vrtualNetwork1 | Subnets > subnet1 
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FIGURE 2-2 Configuring a subnet with a service endpoint for Azure Storage 


Blob Storage access levels 
Storage accounts support an additional access control mechanism that is limited only to Blob 
Storage. By default, no public read access is enabled for anonymous users, and only users with 
rights granted through RBAC or with the storage account name and key will have access to the 
stored blobs. To enable anonymous user access, you must change the container access level 
(see Figure 2-3). The supported levels are as follows: 

m Private. With this option, only the storage account owner can access the container 

and its blobs. No one else would have access to them. 
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m Blob. With this option, only blobs within the container can be accessed anonymously. 


= Container. With this option, blobs and their containers can be accessed anonymously. 


New container 
Name * 


Public access level © 


lic access level Private (no anonymous access) “A 
Private (no anonymous access) 


Blob (anonymous read access for blobs only) 


Container (anonymous read access for containers and blobs) 


FIGURE 2-3 Blob Storage access levels 


You can change the access level through the Azure portal, Azure PowerShell, Azure CLI, 
programmatically using the REST API, or by using Azure Storage Explorer. The access level is 
configured separately on each blob container. 


A shared access signature token (SAS token) is a URI query string parameter that grants 
access to specific containers, blobs, queues, and tables. Use an SAS token to grant access to a 
client that should not have access to the entire contents of the storage account (and therefore, 
should not have access to the storage account keys) but still requires secure authentication. By 
distributing an SAS URI to these clients, you can grant them access to a specific resource, for 
a specified period of time, and with a specified set of permissions. Frequently, SAS tokens are 
used to read and write the data to users’ storage accounts. Also, SAS tokens are widely used to 
copy blobs or files to another storage account. 


NOTE SAS TOKENS USING HTTPS 


When dealing with SAS tokens, you must use only the HTTPS protocol. Because active SAS 
tokens provide direct authentication to your storage account, you must use a secure connec- 
tion, such as HTTPS, to distribute SAS token URIs. 


Create and configure storage accounts 


Azure Storage accounts provide a cloud-based storage service that is highly scalable, available, 
performant, and durable. Within each storage account, a number of separate storage services 
are provided: 


= Blobs. Provides a highly scalable service for storing arbitrary data objects such as text 
or binary data. 
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m Tables. Provides a NoSQL-style store for storing structured data. Unlike a relational 
database, tables in Azure storage do not require a fixed schema, so different entries in 
the same table can have different fields. 


m Queues. Provides reliable message queueing between application components. 


m Files. Provides managed file shares that can be used by Azure VMs or on-premises 
servers. 


m Disks. Provides a persistent storage volume for Azure VM which can be attached as a 
virtual hard disk. 


There are three types of storage blobs: Block Blobs, Append Blobs, and Page Blobs. Page 
Blobs are generally used to store VHD files when deploying unmanaged disks. (Unmanaged 
disks are an older disk storage technology for Azure virtual machines. Managed disks are rec- 
ommended for new deployments.) 


When creating a storage account, there are several options that must be set: Performance 
Tier, Account Kind, Replication Option, and Access Tier. There are some interactions between 
these settings. For example, only the Standard performance tier allows you to choose the 
access tier. The following sections describe each of these settings. We then describe how to 
create storage accounts using the Azure portal, PowerShell, and Azure CLI. 


Naming storage accounts 
While naming an Azure Storage Account, you need to remember these points: 


m The storage account name must be unique across all existing storage account names in 
Azure. 


m The name must be between 3 to 24 characters and can contain only lowercase letters 
and numbers. 


Performance tiers 
When creating a storage account, you must choose between the Standard and Premium per- 
formance tiers. This setting cannot be changed later. 


m= Standard. This tier supports all storage services: blobs, tables, files, queues, and 
unmanaged Azure virtual machine disks. It uses magnetic disks to provide cost-efficient 
and reliable storage. 

= Premium. This tier is designed to support workloads with greater demands on 
I/O and is backed by high-performance SSD disks. It only supports General-Purpose 
accounts with Disk Blobs and Page Blobs. It also supports Block Blobs or Append Blobs 
with BlockBlobStorage accounts and files with FileStorage accounts. 


NOTE REPLICATION OPTIONS WITH PREMIUM TIER 


Premium tier only supports LRS as a replication option for general-purpose storage accounts. 
It supports LRS and ZRS, both for BlockBlobStorage and FileStorage accounts. 
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Account kind 


There are three possible values for the Standard tier: StorageV2 (General-Purpose V2), Storage 
(General-Purpose V1), and BlobStorage. There are four possible values for the Premium tier: 
StorageV2 (General-Purpose V2), Storage (General-Purpose V1), BlockBlobStorage, and FileStor- 
age. Table 2-1 shows the features for each kind of account. Key points to remember are as follows: 


m The Blob Storage account is a specialized storage account used to store Block Blobs and 
Append Blobs. You can’t store Page Blobs in these accounts; therefore, you can’t use 


them for unmanaged disks. 


m Only General-Purpose V2 and Blob Storage accounts support the Hot, Cool, and Archive 


access tiers. 


General-Purpose V1 and Blob Storage accounts can both be upgraded to a General-Purpose 
V2 account. This operation is irreversible. No other changes to the account kind are supported. 


TABLE 2-1 Storage account types and their supported features 


General- 


General- 


Blob 


Block Blob 


Services supported 


Unmanaged Disk 
(Page Blob) support 


Supported Perfor- 
mance Tiers 


Supported Access 
Tiers 


Replication Options 


Purpose V2 


Blob, File, 
Queue, Table 


Yes 


Standard, 
Premium 


Hot, Cool, 
Archive 


LRS, ZRS, GRS, 
RA-GRS, GZRS, 
RA-GZRS 


Replication options 


Purpose V1 


Blob, File, 
Queue, Table 


Yes 


Standard, 
Premium 


N/A 


LRS, GRS, 
RA-GRS 


Storage 


Blob (Block Blobs 
and Append 
Blobs only) 


No 


Standard 


Hot, Cool, 


Archive 


LRS, GRS, RA-GRS 


Storage 


Blob (Block 
Blobs and 
Append 
Blobs only) 


No 


Premium 


N/A 


LRS, ZRS 


File Storage 


File only 


No 


Premium 


N/A 


LRS, ZRS 


When you create a storage account, you can also specify how your data will be replicated for 
redundancy and resistance to failure. There are four options, as described in Table 2-2. 


TABLE 2-2 Storage account replication options 


Replication Type 


Locally redundant 
storage (LRS) 


Description 


Makes three synchronous copies of your data within a single datacenter. 


Available for General-Purpose or Blob Storage accounts at both the Standard and 
Premium Performance tiers. 
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Replication Type 


Zone redundant 
storage (ZRS) 


Geographically 
redundant storage 
(GRS) 


Read access 
geographically 
redundant storage 
(RA-GRS) 


Geographically 
zone redundant 
storage (GZRS) 


Read access 
geographically zone 
redundant storage 
(RA-GZRS) 


Description 


Makes three synchronous copies to three separate availability zones within a single 
region. 

Available for General-Purpose V2 storage accounts only, at the Standard Performance 
tier only. Also available for BlockBlobStorage and FileStorage. 


This is the same as LRS (three local copies), plus three additional asynchronous 
copies to a second datacenter hundreds of miles away from the primary region. Data 
replication typically occurs within 15 minutes, although no SLA is provided. 


Available for General-Purpose or Blob Storage accounts, at the Standard Performance 
tier only. 


This has the same capabilities as GRS, plus you have read-only access to the data in 
the secondary datacenter. 


Available for General-Purpose or Blob Storage accounts, at the Standard Performance 
tier only. 


This is the same as ZRS (three synchronous copies across multiple availability zones), 
plus three additional asynchronous copies to a second datacenter hundreds of miles 
away from the primary region. Data replication typically occurs within 15 minutes, 
although no SLA is provided. 


Available for General-Purpose v2 storage accounts only, at the Standard Performance 
tier only. 


This has the same capabilities as GZRS, plus you have read-only access to the data in 
the secondary datacenter. 


Available for General-Purpose V2 storage accounts only at the Standard Performance 
tier only. 


NOTE REPLICATION OPTIONS 


These replication options control the level of durability and availability of the storage account. 


When the entire datacenter is unavailable, LRS would incur an outage. If the primary region 
is unavailable, both the LRS and ZRS options would incur an outage, but the GRS and GZRS 
options would still provide the secondary region that takes care of the requests during the 


outage. However, not all the replication options are available in all regions. You can find sup- 


ported regions with these replication options at https://docs.microsoft.com/azure/storage/ 


common/storage-redundancy. 


NOTE SPECIFYING REPLICATION AND PERFORMANCE TIER SETTINGS 


When creating a storage account via the Azure portal, the replication and performance tier 


options are specified using separate settings. When creating an account using Azure Power- 


Shell, the Azure CLI, or via a template, these settings are combined within the SKU setting. 


For example, to specify a Standard storage account using locally redundant storage using the 
Azure CLI, use --sku Standard_LRS. 
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Access tiers 


Azure Blob Storage supports three access tiers: Hot, Cool, and Archive. Each represents a 
trade-off of performance, availability, and cost. There is no trade-off on the durability 
(probability of data loss), which is extremely high across all tiers. 


NOTE BLOB STORAGE ONLY 


Access tiers apply to Blob Storage only. They do not apply to other storage services, including 
Block Blob Storage. 


The tiers are as follows: 


m Hot. This access tier is used to store frequently accessed objects. Relative to other 
tiers, data access costs are low while storage costs are higher. 


m Cool. This access tier is used to store large amounts of data that is not accessed fre- 
quently and that is stored for at least 30 days. The availability SLA is lower than for the 


Hot tier. Relative to the Hot tier, data access costs are higher and storage costs are lower. 


m Archive. This access tier is used to archive data for long-term storage, that is accessed 
rarely, can tolerate several hours of retrieval latency, and will remain in the Archive 
tier for at least 180 days. This tier is the most cost-effective option for storing data, but 
accessing that data is more expensive than accessing data in the Hot or Cool tiers. 


New blobs will default to the access tier that is set at the storage account level, though you 
can override that at the blob level by setting a different access tier, including the archive tier. 


NOTE ARCHIVE TIER SUPPORTABILITY 
Currently, the archive tier is not supported for ZRS, GZRS, or RA-GZRS accounts. 


Creating an Azure Storage account 


To create a storage account by using the Azure portal, first click Create A Resource and then 
select Storage. Next, click Storage Account, which will open the Create Storage Account 
blade (see Figure 2-4). You must choose a unique name for the storage account name. Storage 
account names must be globally unique and may only contain lowercase characters and digits. 
Select the Azure region (Location), the performance tier, the kind of storage account, the rep- 
lication mode, and the access tier. The blade adjusts based on the settings you choose so that 
you cannot select an unsupported feature combination. 
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Home > New > Storage account - blob, file, table, queue > Create storage account 


Create storage account 


Basics Networking Advanced Tags Review + create 


Azure Storage is a Microsoft-managed service providing cloud storage that is highly available, secure, durable, scalable, and 
redundant. Azure Storage includes Azure Blobs (objects), Azure Data Lake Storage Gen2, Azure Files, Azure Queues, and Azure 
Tables. The cost of your storage account depends on the usage and the options you choose below, 

Learn more about Azure storage accounts 2? 


Project details 


Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all 
your resources. 


Subscription * | Visual Studio Ultimate with MSDN v 


Resource group * | v 


Create new 


Instance details 


The default deployment model is Resource Manager, which supports the latest Azure features. You may choose to deploy using 
the classic deployment model instead. Choose classic deployment model 


Storage account name * © examref104 o 
Location * (Canada) Canada East v 


Performance © (O) Standard O Premium 

Account kind © | StorageV2 (general purpose v2) v | 
Replication © | Read-access geo-redundant storage (RA-GRS) v | 
Access tier (default) © O Cool (O) Hot 


FIGURE 2-4 Creating an Azure storage account using the Azure portal 


The Networking tab of the Create Storage Account blade is shown in Figure 2-5. This 
tab allows us to maintain storage account access either publicly by choosing Public Endpoint 
(Selected Networks) or privately by choosing Private Endpoint. 

The Advanced tab of the Create Storage Account blade is shown in Figure 2-6. This tab 
allows you to specify whether SSL is required for accessing objects in storage; disabling or 
enabling Azure Files support; choosing data protection options such as blob Soft Delete or 
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Home > New > Storage account - blob, file, table, queue > Create storage account 


Create storage account 


Basics Networking Advanced Tags Review + create 


Network connectivity 
You can connect to your storage account either publicly, via public IP addresses or service endpoints, or privately, using a 
private endpoint. 
Connectivity method * © Public endpoint (all networks) 
O Public endpoint (selected networks) 
O Private endpoint 


© All networks will be able to access this storage account. 
Learn more about connectivity methods | 


FIGURE 2-5 The networking properties that can be set when creating an Azure Storage account using 
the portal 


Versioning; and for enabling Data Lake Storage integration. Additionally, clicking the Tags tab 


allows you to specify tags on the storage account resource. 


MOREINFO CREATING A STORAGE ACCOUNT WITH POWERSHELL 


You can learn more about the additional parameters at https://docs.microsoft.com/en-us/ 
powershell/module/az.storage/new-azstorageaccount. 


MOREINFO CREATING A STORAGE ACCOUNT WITH THE AZURE CLI 


You can learn more about the additional parameters at https://docs.microsoft.com/cli/azure/ 
storage/account#az-storage-account-create. 


Generate shared access signatures 


There are few different ways you can create an SAS token. An SAS token is a way to granularly 


control how a client can access data in Azure storage account. You can also use an account- 


level SAS to access the account itself. You can control many things, such as what services and 
resources the client can access, what permission the client has, how long the token is valid for, 


and more. 
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Home > New > Storage account - blob, file, table, queue > Create storage account 


Create storage account 


Basics Networking Advanced Tags Review + create 


Security 

Secure transfer required © O Disabled (O) Enabled 
Azure Files 

Large file shares © @) Disabled ©) Enabled 


Data protection 


Blob soft delete © @) Disabled ©) Enabled 


@ The current combination of subscript torage account kind, performan 


Data Lake Storage Gen2 


Hierarchical namespace © @) Disabled © Enabled 


urrently required to utilize the NFS v3 feature on a pe 


@Signu 
Sign up for NFS v3 


FIGURE 2-6 The advanced properties that can be set when creating an Azure Storage account using 
the Azure portal 


In this section, we examine how to create SAS tokens using various methods. The simplest 
way to create one is by using the Azure portal. Browse to an Azure storage account and open 
the Shared Access Signature blade (see Figure 2-7). You can check the services, resource 
types, and permissions based on specific requirements, along with the duration for the SAS 
token validity and the IP addresses that are providing access. Lastly, you have an option to 
choose which key you want to use as the signing key for this token. 
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FIGURE 2-7 Creating a shared access signature using the Azure portal 


Once the token is generated, it will be listed along with connection string and SAS URLs, as 
shown in Figure 2-8. 


Connection string 
BlobEndpoint=https://examret blob core windows net/\QueveEndpaint= htipsy//examrel queve.core windows nel/FileEndpoint= httpsy/examnret fie core windows nety\TableEndpointshtips://examret table core windows... D 


“Tev=2019- 10-1085 = bfqtdiart «scodssp=rwdlacupsdise~ 2020-05-07 T 10-324 1Zést ~ 2020-05-07 702.3234 1ZAsip= 10.0.0. Sspr= htt padisig=bSMVNOWAIGInCKH 1GXRIKAAVZ330/LSAUFINBS)cEzeMAID 5 


Blob service SAS URL 
https//examref blob. core windows mety ?se=2013-10- 10%ss=biqt&sn=scofsparwdacupuise=2020-05-07110:32:41ZAst=2020-05-07TOŁ 32-4 1Z&sip= 10.0.0 J&sprahttps&sigsb5MYhDwA IGMCKHIdXRJK4AYZ330JL. D | 


File service SAS URL 
Nttpss!/exarnwet fille core windows met/?sw= 2019-10- 108ess = bhgtdasrt = scofkap = rwfacugm ise 2020-05-07T 10-324 1Zékst= 2020-05-07 T0232 4 TZAisip = 10 0.0. J&spr=httpsdsig=bSMVhDwA 1GmCKM Id XRUKAAYZIIONLS.. D| 


Queue servicw SAS URL 
Nntps://eaurewat queue core windows nat/7av=201S- 10- 108s biqté&srt -scots p- wdlacupxasa -2020-05-0710 32412Ast = 2020-05.07T0232:4 1ZAsip= 10.0.0, 3Aspr=Nttpsdisig=LEMVNDWAIGMCKH 14XRIKAAVZ390F 


ò| 


Table serice SAS URL 
hetps:///exanwet table.core.windows.net/7sv=2019-10-10iss«biqti&srt «sco Besp-=twdlscupxétse= 2020-05-07 10.3241 2&st=2020-05-0770292:4 1ZAsip« 100.0- 3Asprahttpsäsiga bSMVhOWATGMEKHIdXRKAANZ330JL.. 1) 


FIGURE 2-8 Generated SAS token with connection string and SAS URLs 


Also, you can create SAS tokens using Storage Explorer or the command-line tools (or pro- 
grammatically using the REST APlIs/SDK). To create an SAS token using Storage Explorer, you 
need to first select the resource (storage account, container, blob, and so on) for which the 
SAS token needs to be created. Then right-click the resource and select Get Shared Access 
Signature. Figure 2-9 demonstrates how to create an SAS token using Azure Storage Explorer. 
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Za Shared Access Signature x 


Shared Access Signature 


Start time: 2020-05-07 08:38 PM 


Expiry time: 2020-05-08 08:38 PM 


Time zone: 


® Local 
UTC 


Permissions: 


¥ Read 
Write 
Delete 

iZ List 
Add 
Create 
Update 
Process 


Services; 


si Blobs 
+ Files 
¥ Queues 
+ Tables 


Resource types: 


f Service 
¢ Container 
¢ Object 


Learn more about permissions 


Create Cancel 


FIGURE 2-9 Creating a shared access signature using Azure Storage Explorer 


Using shared access signatures 


Each SAS token is a query string parameter that can be appended to the full URI of the blob or 
other storage resource for which the SAS token was created. Create the SAS URI by appending 
the SAS token to the full URI of the blob or other storage resource. 


The following example shows the combination in more detail. Suppose the storage 
account name is examref, the blob container name is examrefcontainer, and the blob path is 
sample-file.png. The full URI to the blob in storage is 


https://examrefstorage.blob.core.windows.net/examrefcontainer/sample-file.png 


The combined URI with the generated SAS token is 


https://examrefstorage.blob.core.windows.net/examrefcontainer/sample-file.png? 
sv=2019-10-10&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-05-08T08 : 50:14Z&st=2020-05-08T00: 
50:14Z&spr=https&sig=65tNhZtj 2 1u0ti h8HQtK7aEL9YCIpGGprZocxj iQ%2Fko%3D 
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Using account-level SAS 

You can create the SAS at the storage account-level, too. With this SAS, you can manage all the 
resources belonging to the storage account. You can also perform write and delete operations 
for all the resources (blobs, tables, and so on) of the storage account. 


Currently, stored access policy is not supported for account-level SAS. 


MOREINFO ACCOUNT LEVEL SAS 


You can learn more about the account level SAS here: https://docs.microsoft.com/rest/api/ 


storageservices/create-account-sas. 


Using user delegation SAS 

You can also create user delegation SAS using Azure AD credentials. The user delegation SAS is 
only supported by the Blob Storage, and it can grant access to containers and blobs. Currently, 
SAS is not supported for user delegation SAS. 


MOREINFO USER DELEGATION SAS 


You can learn more about the user delegation SAS at https://docs.microsoft.com/rest/api/ 


storageservices/create-user-delegation-sas. 


Using a stored access policy 


An SAS token incorporates the access parameters (start and end time, permissions, and so 
on) as part of the token. The parameters cannot be changed without generating a new token, 
and the only way to revoke an existing token before its expiry time is to roll over the storage 
account key used to generate the token or delete the blob. In practice, these limitations can 
make standard SAS tokens difficult to manage. 

Stored access policies allow the parameters for an SAS token to be decoupled from the 
token itself. The access policy specifies the start time, end time, and access permissions, and 
the access policy is created independently of the SAS tokens. SAS tokens are generated that 
reference the stored access policy instead of embedding the access parameters explicitly. 


With this arrangement, the parameters of existing tokens can be modified by simply editing 
the stored access policy. Existing SAS tokens remain valid and use the updated parameters. You 
can revoke the SAS token by deleting the access policy, renaming it (changing the identifier), or 
changing the expiry time. 


MOREINFO STORED ACCESS POLICY EFFECT 


It can take up to 30 seconds for a stored access policy to take effect, and users might see an 
HTTP 403 when attempting access during that time. 
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Figure 2-10 shows the creation of stored access policies in the Azure portal. 


Home > examref| Containers > examrefcontainer | Access policy 


Container 


? examrefcontainer | Access policy 


2 Search (Ctri+/) « we 


EJ Overview Add policy 
“A, Access Control (IAM) Identifier * Permissions 
Settings examrefcontainer-171F1D44E2F v | | 2 selected Vv 
Access poli Start time Expiry time 
policy 
iI! Properties 05/07/2020 [S|] 12:00:00 AM 05/08/2020 Œ || 12:00:00 AM 
@ Metadata | (UTC-05:00) Eastern Time (U... V | | (UTC-05:00) Eastern Time (US... w | 


= 


FIGURE 2-10 Creating stored access policies using Azure portal 


Figure 2-11 shows stored access policies being created in Azure Storage Explorer. 


Z Access Policies x 


Access Policies 


Container; 


examvefcontainer 


Access policies: 
Id Start time: Expiry time: Read Add Create Write Delete List 
examretcontainer-171F1D44E2F 2020-05-07 08;54 PM 2020-05-14 08:54 PM 4 + Remove 


Save Cancel 


FIGURE 2-11 Creating stored access policies using Azure Storage Explorer 


To use the created policies, reference them by name when creating an SAS token using Stor- 
age Explorer or when creating an SAS token using PowerShell or the CLI tools. 


78 CHAPTER2 Implement and manage storage 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


MOREINFO MAX ACCESS POLICIES 


You can only have a max of five access policies on a container, table, queue, or file share. 


Manage access keys 

The simplest way to manage access to a storage account is to use access keys. With the storage 
account name and an access key of the Azure storage account, you have full access to all data 
in all services within the storage account. You can create, read, update, and delete containers, 
blobs, tables, queues, and file shares. In addition, you have full administrative access to every- 
thing other than the storage account itself. (You cannot delete the storage account or change 
settings on the storage account, such as its type.) 

Applications will use the storage account name and key for access to Azure Storage. Some- 
times, this is to grant access by generating an SAS token, and sometimes, it is for direct access 
with the name and key. 

To access the storage account name and key, open the storage account from within the 
Azure portal and click Access Keys. Figure 2-12 shows the primary and secondary access keys 


for the examref storage account. 


prye 


? examref | Access keys 


= Overview 

@ somn cg 
Acca contrat ANE Stonaye accourt name 

@ no 

E Dagene and ahve pretrerra 
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FIGURE 2-12 Access keys for an Azure storage account 


Each storage account has two access keys. This allows you to modify applications to use the 
second key instead of the first and then regenerate the first key. This technique is known as 
“key rolling,” and it allows you to reset the primary key with no downtime for applications that 
directly access storage using an access key. 

Storage account access keys can be regenerated using the Azure portal or the command- 
line tools. In PowerShell, this is accomplished with the New-AzStorageAccountKey cmdlet; with 
Azure CLI, you will use the az storage account keys renew command. 
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NOTE ACCESS KEYS AND SAS TOKENS 


Rolling a storage account access key will invalidate any SAS tokens that were generated using 
that key. 


Managing access keys in Azure Key Vault 
It is important to protect the storage account access keys because they provide full access to 
the storage account. Azure Key Vault helps safeguard cryptographic keys and secrets used 
by cloud applications and services, such as authentication keys, storage account keys, data 
encryption keys, and certificate private keys. 

Keys in Azure Key Vault can be protected in software or by using hardware security modules 
(HSMs). HSM keys can be generated in place or imported. Importing keys is often referred to as 
bring your own key, or BYOK. 


MOREINFO USING HSM-PROTECTED KEYS FOR AZURE KEY VAULT 
You can learn more about the bring your own key (BYOK) scenario here: https://docs. 
microsoft.com/azure/key-vault/key-vault-hsm-protected-keys. 


You can manage storage account keys with key vault using Azure PowerShell or CLI. You can 
learn more using the following links: 


m PowerShell: https://docs.microsoft.com/azure/key-vault/secrets/overview-storage- 


keys-powershell 


m CLI: https://docs.microsoft.com/azure/key-vault/secrets/overview-storage-keys 


Accessing and unencrypting the stored keys is typically done by a developer, although keys 
from Key Vault can also be accessed from ARM templates during deployment. 


MOREINFO ACCESSING ENCRYPTED KEYS FROM AZURE KEY VAULT 


You can learn more about how developers securely retrieve and use secrets from Azure 
Key Vault here: https://docs.microsoft.com/azure/storage/blobs/storage-encrypt-decrypt- 
blobs-key-vault. 


Configure Azure AD Authentication for a storage account 


Azure AD authentication is beneficial for large customers who want to control the data access 
at an enterprise level based on their security and compliance standards. AAD authentication 
was recently added to the list in addition to existing shared-key and SAS token authorization 
mechanisms for Azure Storage (Blob and Queue). Azure blobs and queues are supported by 
Azure AD authentication. Azure Table storage is not supported with Azure AD authorization 
as of now. 
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NOTE AZURE AD AUTHORIZATION SUPPORT FOR STORAGE ACCOUNTS 


Storage accounts that are created with the Azure Resource Manager deployment model only 
support Azure AD authorization. 


AAD authentication enables customers to leverage Azure's RBAC for granting the required per- 
missions to a security principal (users, groups, and applications) down to the scope of an individual 
blob container or queue. While authenticating a request, Azure AD returns an OAuth 2.0 token to 
security principal, which can be used for authorization against Azure Storage (blob or queue). 

Azure AD authorization can be implemented in many ways, such as assigning a RBAC roles 
to a security principal (users, groups, and applications), using a managed service identity (MSI), 
or creating shared access signatures signed by Azure AD credentials and so on. 

If an application is running from within an Azure entity such as an Azure VM, a virtual 
machine scale set, or an Azure Functions app, it can use a managed service identity (MSI) to 
access blobs or queues. 


NEED MORE REVIEW? AUTHORIZING ACCESS 


More information about authorizing access to blob and queue data with managed identities 
for Azure resources can be found at https://docs.microsoft.com/en-us/azure/storage/common/ 
storage-auth-aad-msi 


RBAC roles for blobs and queues 


There are few built-in RBAC roles available in Azure for authorizing access to Blob and Queue 
Storage. 


m Storage Blob Data Owner: Sets ownership and manages POSIX access control for 
Azure Data Lake Storage Gen2. 


= Storage Blob Data Contributor: Grants read/write/delete permissions for Blob Storage. 


= Storage Blob Data Reader: Grants read-only permissions for Blob Storage. 


= Storage Queue Data Contributor: Grants read/write/delete permissions for Queue 
Storage. 


m Storage Queue Data Reader: Grants read-only permissions for Queue Storage. 


m Storage Queue Data Message Processor: Grants peek, retrieve, and delete 
permissions to messages in queues. 


= Storage Queue Data Message Sender: Grants add permissions to messages in 
queues. 


NEED MORE REVIEW? BUILT-IN ROLE DETAILS 


For more information about built-in roles, see https://docs.microsoft.com/azure/role-based- 
access-control/built-in-roles#storage. 
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Resource scope for blobs and queues 


It is also important to determine the scope of the access for security principal before you assign 
an RBAC role. You can narrow down the scope to the container or queue level. Below are the 
valid scopes: 


= Container. Under this scope, the role assignment will be applicable at the container 
level. All the blobs inside the container, the container properties, and the metadata will 
inherit the role assignment when this scope is selected. 


m Queue. Under this scope, the role assignment will be applicable at the queue level. All 
the messages inside the queue, as well as queue properties and metadata will inherit the 
role assignment when this scope is selected. 


m Storage account. Under this scope, the role assignment will be applicable at the stor- 
age account level. All the containers, blobs, queues, and messages within the storage 
account will inherit the role assignment when this scope is selected. 


m Resource group. Under this scope, the role assignment will be applicable at 
the resource group level. All the containers or queues in all the storage accounts in the 
resource group will inherit the role assignment when this scope is selected. 


= Subscription. Under this scope, the role assignment will be applicable at the subscrip- 
tion level. All the containers or queues in all the storage accounts in all the resource 
groups in the subscription will inherit the role assignment when this scope is selected. 


AAD authentication and authorization in Azure portal 
In the following example, you will learn how to configure the AAD authentication method in 
order to allow users to access the blob data. 

In Figure 2-13, you can see the examrefcontainer container has one blob named 
UserCreateTemplate.csv. Also, notice that the authentication method is currently set as 
Access Key. 


‘cramretcomainer 


[Py] examrefcontainer 


C) Retesh 


FIGURE 2-13 The overview blade of examrefcontainer 


Switch the authentication method to Azure AD User Account by clicking Switch To Azure 
AD Account. You will see a warning message indicating that you do not have permission to list 
the data (see Figure 2-14). 
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FIGURE 2-14 The overview blade of examrefcontainer 


Now let's assign Storage Blob Data Reader role to the logged in user at container level. Go 
to the Access Control (IAM) blade on the container and select Role from the Storage Blob 
Data Reader drop-down menu. Then search for and select CIE Administrator. Click Save to 
apply the role assignment (see Figure 2-15). 


Add role assignment 


Role © 


Storage Blob Data Reader © v 


Assign access to © 


Azure AD user, group, or service principal v 


Select © 
CIE 


CIE Administrator 
harshulp_outlook.com#EXT#@MSP131499,0onmicro. 


Selected members: 


CIE Administrator 
Remove 


FIGURE 2-15 Storage Blob Data Reader Role assignment 
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You should now see the current user with the role Storage Blob Data Reader, which 
appears under Role Assignments (see Figure 2-16). 


eamrefcortainar | Access Control QAND 
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+ Add Retesh Got feeabock? 
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adinenenbintel Checkaccess Role assignments Deny assignments Classic administrators Roles 
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Accon polie 
t iid 5 200 
Properties 
Name Type Role Scope Group by 
© Meum 
rt) v) [Froe ~| | Wtscopes v) [Role v 
3 items (2 Usora, 1 Service Principals 
C) Nome Tyre Role Scope 
Contritwtor 
ug eee App wii becription Onherhted) 


Storage Blob Outa Reader 


User torge Bob Data Reade This resource 


FIGURE 2-16 Role assignments for examrefcontainer 


If you navigate to Overview blade of examrefcontainer now, you will see the 
UserCreateTemplate.csv blob with authentication method shown as Azure AD User Account 
(see Figure 2-17). 


NOTE RBAC ROLES EFFECT 


Sometimes, RBAC roles take up to 5 minutes to propagate the role assignments. 
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FIGURE 2-17 The overview blade of examrefcontainer 


Configure access to Azure Files 


Azure Files provides managed file shares that are accessible over the SMB protocol. SMB is 
a network file-sharing protocol, and Azure Files provides flexibility to use the following two 
types of identity-based authentication to access the shares. 


m On-premises Active Directory Domain Services (AD DS) 
m Azure Active Directory Domain Services (Azure AD DS) 


In this section, you will learn how to use either of these domain services to access file shares 
over SMB. Azure file shares leverage Kerberos tokens to authenticate a user or application to 
access the file shares. You can configure authorization either at the share or directory/file levels. 
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Share-level permission can be assigned using Azure built-in roles such as Storage File Data SMB 


Share Reader, which allows Azure AD users or groups to grant read access to an Azure file share. 


On-premises Active Directory Domain Services (AD DS) authentication 
and authorization 


You can enable AD DS authentication for your Azure file shares to authenticate using your on- 
premises AD DS credentials. You can also manage granular access control by syncing identities 
from on-premises AD DS to Azure AD with AD Connect. The share-level access can be availed 
with identities that are synced to Azure AD, and file/share-level access can be availed using 
on-premises AD DS credentials. 


To configure identity-based authentication using AD DS, there is a five-step process you 
need to follow for your Azure file shares. You can get the documentation link using the Azure 
portal as shown in Figure 2-18. Click the How To Domain Join The Storage Account hyper- 
link to access the latest official documentation. 
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«=. examref | Configuration 2 
=. t 
Search (Ct CY Refresh 
= Overvie 
@ Activity log Li) 
@ Tags Secu required 
© Enable 
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FIGURE 2-18 Configuring identity-based access for file shares using AD DS 
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Follow these steps for AD DS authentication: 
1. Enable AD DS authentication on your storage account. 
2. Assign share-level access permissions to an Azure AD identity. 
3. Assign directory/file-level permissions using Windows ACLs. 
4. Mount the Azure file share. 


5. Update the password of your storage account identity in AD DS. 


Azure Active Directory Domain Services (Azure AD DS) authentication 
and authorization 


You can enable Azure AD DS authentication for your Azure file shares to authenticate with 
Azure AD credentials. Azure AD DS—joined Windows machines can access Azure file shares 
with Azure AD credentials over SMB. 


To configure identity-based authentication using Azure AD DS, there is a set of steps you 
need to follow for your Azure file shares. 


1. First, you must enable Azure AD DS for your storage account. You can enable AD DS 
using the Azure portal by accessing the storage account Configuration option, and 
then setting Azure AD DS Identity-Based Access For File Shares setting to Enabled, 
as shown in Figure 2-19. Once Enabled, click the Save option at the top. 


Home > examref 


á examref | Configuration 2 


E] Save X Discard C) Refresh 
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FIGURE 2-19 Configuring Identity-Based Access For File Shares using Azure AD DS 
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2. You also need to register your storage account with AD DS and enable AD DS authenti- 
cation for your Azure file shares. There are two ways to accomplish this: 


m Use the AzFilesHybrid PowerShell] module This PowerShell module makes the 
required modifications and enables the feature for you. Note the following: 


m You can download and extract the AzFilesHybrid module here: 
https://github.com/Azure-Samples/azure-files-samples/releases. 


m Note that v0.2.0 and above are GA versions. 


m Install the module on a device that is domain joined to an on-premises AD DS 
with AD DS credentials that have permissions to create a Service Logon Account 
or acomputer account in the target AD. 


m You must execute the commands using an on-premises AD DS credential that is 
synced to your Azure AD. The on-premises AD DS credential must have either the 
storage account owner or the contributor Azure role permissions. 


m Join-AzStorageAccountFordAuth is a module command that registers the target 
storage account with your active directory environment under the target OU. 
You can also choose to create the identity that represents the storage account 
as either a Service Logon Account or Computer Account depends on the AD 
permission you have, as well as your preference. Moreover, you can run Get-Help 
Join-AzStorageAccountForAuth for more details on this cmdlet. 


m Manually perform the enablement actions To enable the feature manually, you will 
need have the Active Directory PowerShell and Az.Storage 2.0 modules installed. You 
also need to check your AD DS to see if either a computer account or Service Logon 
Account has already been created. If not, then you must create one. Now you can 
use the following command to enable the feature on your storage account. You can 
provide the target storage account and the required AD domain information. 
Set-AzStorageAccount ` 

-ResourceGroupName "<your-resource-group-name-here>" ` 

-Name "<your-storage-account-name-here>" ` 
-EnableActiveDirectoryDomainServicesForFile $true ` 
-ActiveDirectoryDomainName "<your-domain-name-here>" ` 
-ActiveDirectoryNetBiosDomainName "<your-netbios-domain-name-here>" ` 
-ActiveDirectoryForestName "<your-forest-name-here>" ` 
-ActiveDirectoryDomainGuid "<your-guid-here>" ` 


-ActiveDirectoryDomainsid "<your-domain-sid-here>" ` 
-ActiveDirectoryAzureStorageSid "<your-storage-account-sid>" 


m Next, you need to configure share-level permissions in order to get access to your file 
shares. First, you need to set up a hybrid identity that is in AD DS and that is synced 
to your Azure AD. Authentication and authorization against identities that only 
exist in Azure AD, such as Azure Managed Identities (MSIs), are not supported with 
AD DS authentication. You can assign share-level permissions to the identity using 
Azure portal by accessing the Access Control (IAM) blade on an Azure file share. 
Select Add A Role Assignment and select one of the following roles and select the 
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identity. Save the changes by clicking Save on the top of the blade. Storage File 
Data SMB Share Reader—Allows read access in Azure Storage file shares over SMB. 


= Storage File Data SMB Share Contributor Allows read, write, and delete access in 
Azure Storage file shares over SMB. 


= Storage File Data SMB Share Elevated Contributor Allows read, write, delete, 
and modify NTFS permissions in Azure Storage file shares over SMB. 


Once you assign share-level permissions, you must assign granular-level permissions at 
the root, directory, or file level using basic and advanced Windows ACLs. The following 
permissions are supported on the root directory of a file share: 


m BUILTIN\Administrators:(Ol)(Cl)(F) 

m NT AUTHORITY\SYSTEM:(O1)(CI)(F) 

m BUILTIN\Users:(RX) 

m BUILTIN\Users:(Ol)(Cl)(IO)(GR,GE) 

m NT AUTHORITY\Authenticated Users:(O1)(Cl)(M) 
m NT AUTHORITY\SYSTEM:(F) 

m CREATOR OWNER:(Ol)(CI)(IO)(F) 


You should mount an Azure file share from a domain-joined VM Log in to the domain- 
joined VM using an Azure AD identity such as user with the granted permissions men- 
tioned in pervious steps. Note that if the client machine is not in the AD DS network, you 
must use VPN in order to successfully authenticate. You can use the net use command 
to mount the file share. Following is a sample command: 


net use <drive-letter>: \\<storage-account>.file.core.windows.net\<fi leshare> 
If you want to grant permission to additional users, you can follow the steps again with 
the target Azure AD identity to provide access to Azure file shares. 


To configure ACLs with superuser permissions, you must mount the share by using your 
storage account key from your domain-joined VM: 


net use <drive-letter>: \\<storage-account>.file.core.windows.net\<fileshare> / 
user :Azure\<storage-account-name> <storage-account-key> 


You can configure the Windows ACLs using either Windows File Explorer or icacls. You 
can use following command to grant full permissions to all directories and files under 
the file share, including the root directory: 


icacls <mounted-drive-letter>: /grant <user-emai I>: (f) 


NEED MORE REVIEW? MORE ABOUT ICACLS 


More information on icacls can be found at https://docs.microsoft.com/en-us/ 
windows-server/administration/windows-commands/icacls. 
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Alternatively, you can also use Windows File Explorer to grant the necessary permis- 
sions. Please note, both share-level and file/directory level permissions are enforced 
when a user attempts to access a file/directory. If there is a conflict in any of these 
permissions, the most restrictive permission will be applied. For example, if the user has 
read/write access at the share level but has only read access at the file level, then the 
user can only read the file. The same is true in reverse. 


The final step is to update the password of AD DS identity/account that represents 
your storage account in an organizational unit or domain that enforces password 
expiration time. You can use the AzStorageAccountADObjectPassword command from the 
AzFilesHybrid module to update the password. This command performs actions similar 
to storage account key rotation and must be performed by a hybrid user with owner 
permission to the storage account and AD DS permissions to change the password of 
the identity representing the storage account. You must run the following command in 
an on-premises, AD DS-joined environment: 


Update-AzStorageAccountADObjectPassword -RotateToKerbKey kerb2 -ResourceGroupName 
"<resource-group-name>" -StorageAccountName "<storage-account-name>" 
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If your dataset is large enough, or if you have limited or no connectivity from your data to the 
Internet, you might want to physically ship the data and import it into Microsoft Azure instead 
of uploading it. The solution is the Azure Import/Export service, which allows you to ship data 
into or out of an Azure Storage account by physically shipping disks to an Azure datacenter. 
This service is ideal when uploading or downloading the data directly is either not possible or 
prohibitively expensive. Azure Import/Export is only used with Blob Storage and Azure Files. 
You will learn how to import and export the data in this section. In a later part of this skill, you 
will also learn how to use tools like Azure Storage Explorer and AzCopy. 


This section covers how to: 
m Create an export from an Azure job 
m Create an import into an Azure job 
m Install and use Azure Storage Explorer 
= Copy data by using AZCopy 
m Implement Azure Storage replication 


= Configure blob object replication 


Create an export from an Azure job 


An export job allows you to export large volumes of data from Azure Storage to your on-premises 
environment by shipping you the data on disk. This service only supports the export of blobs. 
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To export blob data, create an export job on the storage account using the management 
portal. To create an export job, do the following: 


1. Log in to the Azure portal, click All Services, and search for and select Import/Export 
Jobs. 


2. Click Create Import/Export Job. 


3. On the Basics tab (as shown in Figure 2-20), choose Export From Azure and specify the 
job name and the resource group to contain the created job. Click OK. 


4. Onthe Job Details tab, choose which storage account to export from and choose the 
blobs to export. You have the following options. 


= Export All 

= Selected Containers And Blobs 

= Export From Blob List File (XML Format) 
5. Click OK. 


6. On the Return Shipping Info tab, specify your carrier information and the address for 
the disks to be shipped to. Click OK. 


7. On the Summary tab, click the OK button after confirming the export job. 


Home > New mport export job > Create import/export job Basics 
Create import/export job Xx Basics O xX 
A Type * 
— > _) Import into Azure 
Configure basic settings ry Export from Azure 
Name * 
2 ss ExamRefExportiob 


Subscription * 


Visual Studio Ultimate with MSDN Vv 


Resource group * 


(New) ExamRefRG 7v 


Create new 


FIGURE 2-20 The Create Import/Export Job blade in the Azure portal 


MOREINFO WALKTHROUGH CREATING A DATA EXPORT JOB 


To learn more about creating an import job see https://docs.microsoft.com/azure/storage/ 
common/storage-import-export-data-from-blobs. 


After you receive the disks from Microsoft, you will need to retrieve the BitLocker keys from 
the Azure portal to unlock the disks. 
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Create an import into an Azure job 


An import job allows you to import large volumes of data to Azure by shipping the data on 
disk to Microsoft. 


The first step to import data using the Azure Import/Export service is to install the Microsoft 
Azure Import/Export tool known as the WAlmportExport tool. 


NOTE WAIMPORTEXPORT TOOL 


There are two versions of the WAlmportExport tool. Version 1 is recommended for Azure Blob 
Storage, and version 2 is recommended for Azure Files. 


Download links: 
m Version 1: https://www.microsoft.com/download/details.aspx?id=42659 
m Version 2: https://www.microsoft.com/download/details.aspx?id=55280 


Additional requirements and limitations of the Azure Import/Export Jobs tool include: 
m Windows 7, Windows Server 2008 R2, or a later OS version is required. 
m The tool also requires .NET Framework 4.5.1 or later and BitLocker. 


m All storage account types are supported (General-Purpose V1, General-Purpose V2, and 
Blob Storage). 


m Block, Page, and Append Blobs are supported for both import and export. 


m The Azure Files service is only supported for import jobs but not export jobs. 


NOTE WAIMPORTEXPORT TOOL SUPPORT 


This tool only works with 64-bit operating systems and might not work with 32-bit operating 
systems. 


Table 2-3 lists the disks requirements for sending data to the Import/Export service. 


TABLE 2-3 Supported disks for the Import/Export service 


Disk Type Size Supported Not Supported 

SSD 25° SATA III — 

HDD 3.5" SATA II, SATA III External HDD with built-in USB adaptor 
Disk inside the casing of an external HDD 
USB drives 
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EXAM TIP 


A single import/export job can have a maximum of 10 HDDs and SSDs and a mix of HDDs 
and SSDs of any size. 


The second step to import data is to prepare your drives using the WAlmportExport tool 
and copy the data to transfer to the drives. 


When preparing the drive, the first session, requires several parameters, such as the des- 
tination storage account key, the BitLocker key, and the log directory. The following example 
(for the v1 tool) shows the syntax for using the Azure Import/Export tool with the PrepImport 
parameter to prepare the disk for an import job for the first session. 


WAImportExport.exe PrepImport /j:<JournalFile> /id:<SessionId> [/logdir:<LogDirectory>] 
[/sk:<StorageAccountKey>] /InitialDriveSet: <driveset> /DataSet:<driveset> 


The Azure Import/Export tool creates a journal file that contains the information necessary 
to restore the files on the drive to the Azure Storage account, such as mapping a folder or file 
to a container, blob, or files. Each drive used in the import job will have a unique journal file 
that is created by the tool. 


NOTE USING THE WAIMPORTEXPORT TOOL 


To add a single file to the drive and journal file, use the /srcfile parameter, instead of the 
/srcdir parameter. 


The Azure Import/Export tool supports a number of other parameters. For a full list, see: 
= Version 1: https://docs.microsoft.com/azure/storage/common/storage-import- 
export-tool-preparing-hard-drives-import-v1 
m Version 2: https://docs.microsoft.com/azure/storage/common/storage-import- 
export-tool-preparing-hard-drives-import 
Once the drive preparation is complete, the third step in the import process is to create an 
import job through the Azure portal. To create an import job, do the following: 
1. Log in to the Azure portal and click All Services > Storage > Import/Export Jobs. 
2. Click Create Import/Export Job. 


3. On the Basics tab, choose Import Into Azure and specify the job name and the 
resource group to contain the created job. Click OK. 


4. On the Job Details tab, choose the journal file created with the wAImportExport.exe tool 
and select the destination storage account. Click OK. 


5. Onthe Return Shipping Info tab, specify your carrier information and return address 
for the return disks. Click OK. 


6. On the Summary tab, click the OK button after confirming the import job. 


Having created the import job, the fourth step in the import process is to physically ship the 
disks to Microsoft using a supported courier service with a tracking number for your package. 
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Once you have the tracking number, then you update the job properties of the existing import 
job. The drives will be returned using the courier information provided in the import job. 


Check the job status regularly using get job operation until it is completed. You can then 
verify that the data has been uploaded to Azure. 


NEED MORE REVIEW? WALKTHROUGH CREATING A DATA IMPORT JOB 
To learn more about creating an import job see the following: 


m Version1 (blobs). https://docs.microsoft.com/azure/storage/common/storage-import- 
export-data-to-blobs 


m Version 2 (files). https://docs.microsoft.com/azure/storage/common/storage-import- 
export-data-to-files 


Install and use Azure Storage Explorer 


Azure Storage Explorer is a cross-platform application designed to help you quickly manage 
one or more Azure Storage accounts. It can be used with all storage services: Blob Storage, 
Azure Tables, Queue Storage, and Azure Files. In addition, Azure Storage Explorer also sup- 
ports the CosmosDB and Azure Data Lake Storage services. 


You can install Azure Storage Explorer by navigating to its landing page at https:// 
azure.microsoft.com/features/storage-explorer/ and selecting your operating system choice 
(Windows, macOS, or Linux). 


In addition, a version of Storage Explorer with similar functionality is integrated into the Azure 
portal. To access, simply click Storage Explorer (Preview) from the storage account blade. 


Connecting Storage Explorer to Storage Accounts 


After Storage Explorer is installed, you can connect to Azure Storage in one of five different 
ways (shown in Figure 2-21): 

= Add An Azure Account. This option allows you to sign in using a work or Microsoft 
account and access all your storage accounts via role-based access control. 

m Using A Connection String. This option requires you to have access to the connec- 
tion string of the storage account. The connection string is retrievable by opening the 
storage account blade in the Azure portal and clicking Access Keys. 

m Use A Shared Access Signature URI. A shared access signature provides access to a 
storage account without requiring an account key to be shared. Access can be restricted, 
for example, to read-only access for Blob Storage for one week only. 

m Using A Storage Account Name And Key. This option requires you to have access 
to the storage account name and key. These values can also be accessed from the Azure 
portal under Access keys. 

m Attach To A Local Emulator. Allows you to connect to the local Azure Storage 
emulator as part of the Microsoft Azure SDK. 

After connecting, you then filter on which subscriptions to use. Once you select a subscrip- 
tion, all the supported services within the subscriptions will be made available. Figure 2-22 
shows an expanded Azure Storage account named examref. 
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=, Connect to Azure Storage x 


Connect to Azure Storage 

How do you want to connect to your storage account or service? 
© Add an Azure Account 

Azure environment: 


Ature r 


Add a resource via Azure Active Directory (Azure AD} 
Use a connection string 

Use a shared access signature (SAS) URI 

Use a storage account name and key 

Attach to a local emulator 


Next Cancel 


FIGURE 2-21 Connecting to an Azure Storage Account using Azure Storage Explorer 


EXPLORER 
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FIGURE 2-22 Azure Storage Explorer showing an Azure Storage Account beneath the subscription 
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NOTE CONNECT TO COSMOS DB USING STORAGE EXPLORER 


You can connect to Cosmos DB using Storage Explorer. You can find more details at https:// 
docs.microsoft.com/azure/cosmos-db/storage-explorer. 


Using Storage Explorer 


Using Storage Explorer, you can manage each of the storage services: Blob Storage, Azure 
Tables, Queue Storage, and Azure Files. Table 2-4 summarizes the supported operations for 
each service. 


TABLE 2-4 Storage Explorer Operations 


Storage Service Supported Operations 
Blob Blob containers. Create; rename; copy; delete; control public access level; manage 
leases; and create and manage shared access signatures and access policies 


Blobs. Upload; download; manage folders; rename and delete blobs; copy blobs; cre- 
ate and manage blob snapshots; change blob access tier; and create and manage shared 
access signatures and access policies 


Table Tables. Create; rename; copy; delete; and create and manage shared access signatures 
and access policies 


Table entities. Import, export, view, add, edit, delete, and query 


Queue Queues. Create, delete, create, and manage shared access signatures and access 
policies 
Messages. Add, view, dequeue, and clear all messages 


Files File shares. Create; rename; copy; delete; create and manage snapshots; connect a VM 
to a file share; and create and manage shared access signatures and access policies 


Files. Upload folders or files; download folders or files; manage folders; copy, rename; 
and delete 


In each case, Azure Storage Explorer provides an intuitive GUI interface for each operation. 


Storage blob copy 

The Azure Storage Explorer can be used to perform a storage blob copy. To copy between 
storage accounts, navigate to the source storage account, select one or more files, and click 
the Copy button on the toolbar. Next, navigate to the destination storage account, expand 

the container that you want to copy to, and click Paste from the toolbar. In Figure 2-23, the 
CreateUserTemplate.csv blob was copied from examref\srccontainer to examref\destcontainer 
using this technique. 
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FIGURE 2-23 Using the async blob copy service with Storage Explorer 


Copy data by using AzCopy 


AzCopy is a command-line utility that you can use to perform large-scale bulk transfer of data 
to and from Azure Storage. AzCopy performs all the operations asynchronously and can run 
simultaneously. Moreover, it is also fault-tolerant, so if the operation is interrupted for some 
reason, it can resume from where it left off once the issue is resolved. 


The latest version of AzCopy lets you take incremental backups of blobs and keep it syn- 
chronized in order to contain the same version of data. AzCopy can be added to the system 
path, so that you can run AzCopy from any of the folder from your system while using it in 
Windows PowerShell. Otherwise, you have to change the directory to where the AzCopy 
executable is stored every time. You can see list of commands using azcopy -h. 


NOTE AZCOPY WITH STORAGE EXPLORER 


Storage Explorer is a graphical user interface which uses AzCopy to perform all its data 
transfer operations in the backend. 


AzCopy needs an authentication to Azure Storage first before it runs any operations within 
the session. It can be achieved by running the azcopy login command and signing in. AZCopy 
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also supports other authorizations, such as service principal, SAS token, access key, managed 
identity, and so on. For example, run this command to authenticate using service principal: 


azcopy login --service-principal --application-id <application-id> 
--tenant-id=<tenant-id> 


MOREINFO CREATE AN AAD APP AND SERVICE PRINCIPAL 


You can find step by step instructions for how to connect an Azure AD app and service 
principal at https://docs.microsoft.com/azure/active-directory/develop/howto-create- 
service-principal-portal. 


Upload/download the data using AzCopy 


You can upload the data to Azure Blob Storage using AzCopy. The only condition is that the 
storage account and destination container should already exist. In the example below, the 
CreateUserTemplate.csv file will be copied to the destcontainer. 


azcopy copy "CreateUserTemplate.csv" "https://examref.blob.core.windows.net/ 
destcontainer/" 


If you are using SAS token, the syntax would be as follows: 


azcopy copy "CreateUserTemplate.csv" "https://examref.blob.core.windows.net/ 
destcontainer/?<sas token>" 


You can upload multiple files with folder structures using the --recursive=true option with 
AzCopy. 


azcopy copy "CreateUserTemplate.csv" "https://examref.blob.core.windows.net/ 
destcontainer/?<sas token>" 


You can also download the data from Azure Blob Storage using AzCopy. In the example 
below, the CreateUserTemplate.csv file will be downloaded from the srccontainer. 


azcopy copy "https://examref.blob.core.windows.net/srccontainer/" "CreateUserTemplate.csv' 


Async blob copy 


The AzCopy application can also be used to copy between storage accounts. The following 
example shows how to copy the blob from source storage account's container to destination 
storage account's container using SAS token. 


AzCopy copy "https://examref.blob.core.windows.net/ srccontainer/[blob-path]?<sas token>" 
"https: //examrefdest.blob.core.windows.net/destcontainer/[blob-path]?<sas token>" 


MOREINFO AZCOPY 


AzCopy version 10 is multi-platform, and works with Windows, Linux, and macOS. For more 
information on AzCopy, see https://docs.microsoft.com/azure/storage/common/storage- 
use-azcopy. 
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Sync blob copy 


You can use the azcopy sync command to do synchronized copy between two blob containers. 
This command synchronizes the contents of a destination container with a source container 
by copying blobs if the last modified time of a blob in the destination is earlier than that of the 
corresponding blob in the source. By default, the recursive flag is true for the sync command 
and copies all subdirectories: 


azcopy sync "https://examref.blob.core.windows.net/srccontainer/?<sas token>" 
"https: //examref.blob.core.windows.net/destcontainer/" 


NOTE DELETE DESTINATION FLAG 


You can use --delete-destination flag with the azcopy sync command if you want to delete 


blobs in the destination that don't exist in the source. It can be set to true, false, or prompt. 


Using prompt will prompt you for deletions to make it safer. 


Implement Azure Storage replication 


The data in your Azure Storage accounts is always replicated for durability and high availability. 
The built-in storage replication options were discussed at a high level in Table 2-5. It’s important 
to understand when each replication option should be used and the level of availability you 
require for your scenario. Table 2-3 describes the scenarios and expected availability for each of 
the replication options. 


TABLE 2-5 Durability and availability for various replication options 


Scenario 


Supported 
storage 
account 


types 


Server or 
other failure 
within a 
datacenter 


Failure affect- 
ing an entire 
data center 
(such as a fire) 


Failure 
affecting all 
datacenters 
in a region 
(such as a 
hurricane) 


Designed 
durability 


LRS 


GPv21, GPv12, 
blob 


Available 


Not available 


Not available 


At least 
99.999999 
999 percent 


ZRS 


GPv2 


Available 


Available 


Not available 


At least 
99.999999 
9999 percent 
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GRS 


GPv1, GPv2, 
blob 


Available 


Available 


Microsoft 
controlled 
failover 


At least 
99.999999 
99999999 
percent 


RA-GRS 


GPv1, GPv2, 
blob 


Available 


Available 


Read access 
only until 
failed over 


At least 
99.999999 
99999999 
percent 


GZRS 


GPv2 


Available 


Available 


Microsoft 
controlled 
failover 


At least 
99.999999 
99999999 
percent 


RA-GZRS 


GPv2 


Available 


Available 


Read access 
only until 
failed over 


At least 
99.999999 
99999999 
percent 


Scenario 


Availability 
SLA for read 
requests 


Availability 
SLA for write 
requests 


LRS 


At least 99.9 
percent (99 

percent for 

cool access 

tier) 


At least 99.9 
percent (99 

percent for 

cool access 

tier) 


ZRS 


At least 99.9 
percent (99 

percent for 

cool access 

tier) 


At least 99.9 
percent (99 

percent for 

cool access 

tier) 


GRS 


At least 99.9 
percent (99 

percent for 

cool access 

tier) 


At least 99.9 
percent (99 

percent for 

cool access 

tier) 


RA-GRS 


At least 99.99 
percent (99.9 
percent for 
cool access 
tier) 


At least 99.9 
percent (99 

percent for 

cool access 

tier) 


Changing storage account replication mode 


Storage accounts can be moved freely between the LRS, GRS, and RA-GRS replication modes. 
Azure will replicate the data asynchronously in the background as required. 


Migrating to or from the ZRS, GZRS, and RA-GZRS replication mode works differently. The 
recommended approach is to simply copy the data to a new storage account with the desired 
replication mode, using a tool such as AzCopy. This might require application downtime. Alter- 
natively, you can request a live data migration via Azure Support. 


GZRS 


At least 99.99 
percent (99.9 
percent for 
cool access 
tier) 


At least 99.9 
percent (99 

percent for 

cool access 

tier) 


RA-GZRS 


At least 99.99 
percent (99.9 
percent for 
cool access 
tier) 


At least 99.9 
percent (99 

percent for 

cool access 

tier) 


You can set the replication mode for a storage account after it is created through the 
Azure portal by clicking the Configuration link on the storage account and selecting the 
Replication Type (see Figure 2-24). 
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FIGURE 2-24 The configuration blade of an Azure storage account 


MORE INFO 


MORE EXAMPLES WITH POWERSHELL 


There are many variations for using the async copy service with PowerShell. For more 


information, see the following: https://docs.microsoft.com/powershell/module/az.storage/ 


start-azstorageblobcopy. 
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MOREINFO MORE EXAMPLES WITH CLI 


There are many variations for using the async copy service with the Azure CLI. For more infor- 
mation, see https://docs.microsoft.com/cli/azure/storage/blob/copy. 


Configure blob object replication 


Azure Storage blob object replication provides asynchronous replication of block blobs 
from one storage account to another. The blobs are replicated based on the defined 
replication rules. 

You can leverage object replication only when blob versioning is enabled for both the 
source and destination storage accounts and the blob change feed is enabled for the source 
storage account. 


NOTE BLOB VERSIONING AND BLOB CHANGE FEED 
Blob versioning captures the state of a blob when it it modified or deleted, Azure storage 


creates a new version ID for a blob with each change. The blob change feed provides all the 
changes with the blobs and its metadata in form of transactional logs. 


There are various benefits you can get by using object replication: 

m For large data processing jobs, you can analyze the data in a single region, and you 
can distribute results to additional regions as needed. This saves processing time and 
compute resources to perform the same in all regions. 

= With replication, the users can read data from the replicated region as well. Hence, you 
can reduce latency for your read requests by giving them the flexibility to choose the 
nearest region to read the data. 

= Compute workloads can now process the same sets of block blobs in different regions 
using object replication. 

m You can reduce the costs by moving your replicated data to the archive tier using 
Lifecycle Management policies. 

Keep in mind, object replication performs multiple read and write transactions against the 
source and destination accounts. This can incur additional costs. 

To set up the object replication rules, open the storage account, browse to Object 
Replication under Blob Service, and click Set Up Replication Rules (see Figure 2-25). You 
can define up to 10 replication rules per policy. 
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Home > examref 


@ examref | Object replication 


Storage ace 
D Search (Ctrl+ « -+ Setup replication rules F Upload replication rules C) Refresh © Feedback 
Blob service When object replication js enabled, blobs are copied asynchronously from a source storage account to a destination account. Cross- 
tenant policies will show up under "Other accounts*. The storage accounts may be in different Azure regions. 
S&S Containers Learn more about object replication cf 
custom domain 
Your accounts Other accounts 
@ Data protection — 
@ Object replication Objects copied from this account 
@ Azure CDN Destination account Source container Destination container Fitters 
æ Add Azure Search No replication policies found 


Æ Ufecyde Management 
Objects copied into this account 
Æ Blob inventory (preview) 
Source account Source container Destination container Filters 


File service 
No replication policies found 


À File shares 


FIGURE 2-25 Set up replication rules option on the Object Replication blade 


You need to select the Destination Subscription and Destination Storage Account that 
will be used for replication. You also need to select the Source Container and Destination 
Container in a pair. You can limit the replication scope with filters by specifying the prefix 
match for blobs. See Figure 2-26. 


Home examref 


Create replication rules for your organization 


ti] When you create object replication rules, blob change feed and blob versioning are automatically enabled for the source and destination storage accounts, Enabling these features may 


Destination details 

To begin replicating objects, specify the source storage account and the destination storage account 

Learn more about copying objects in object replication C 

Destination subscription * Visual Studio Ultimate with MSDN v 

Destination storage account * | examrefdest v| 
Don't see your account? cf 

Container pair details 


A container pair consists of a container in the source account and a container in the destination account. Objects in the source 
container are copied over to the destination container according to the replication rule. You can optionally filter which objects are 
copied by specifying a prefix match and by copying objects created only after a specified date and time. 


Source container Destination container Filters Copy over 
data v || datadest v | 1 (addy Only new objects (change) Ww 
Select a source container WV | | Select a destination container v 


FIGURE 2-26 Destination details for a replication rule under Object replication 


You can also control how objects are copied over to the destination container using 
three options: Everything, Only New Objects, and Custom (see Figure 2-53). If you select 
Everything, then all the blobs matching the filters will be copied over to the destination 
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container, but if you select Only New Objects, then only the newly added blobs matching 
the filters will be copied over to the destination container. If you select Custom, then you will 
have a chance to manually specify a date and time to copy the blobs created later, as shown in 
Figure 2-27. 


Copy over x 


To manage how many objects are copied to the destination 
container, specify that objects are copied based on when they were 
added to the source container. 


Copy over 
C) Everything 
C) Only new objects 


(@) Custom 


Copy objects that were created starting from * 
12/06/2020 E || 10:00:00 AM 


(UTC-05:00) Eastern Time (US & Canada) Vv 


FIGURE 2-27 Copy Over option for a replication rule 


Once created, the consolidated view of replication rules can be viewed by visiting the 
Object Replication blade. You can also right-click a rule and select Edit Rules, Download 
Rules, or Delete Rules, as shown in Figure 2-28. The downloaded rules can be edited and 
reused using the Upload Replication Rules options instead of re-creating them. 


To check the replication status of a source blob, you can select the source blob to see its 
properties. You can see the Object Replication section, which can show the replication Policy 
ID and Rule ID along with replication Status (see Figure 2-29). 


Home examret 


2 examref | Object replication 


Sea + Setup replication rules F Upload replication rules C) Refresh Q Feedback 
Blob service When object replication is enabled, blobs are copied asynchronously from a source storage account to a destination account. Cross- 
tenant policies will show up under “Other accounts". The storage accounts may be in different Azure regions. 
= Containers Learn more about object replication S 


Custom domain 
Your accounts Other accounts 
Data protection — 


Objects copied from this account 


z 
è 
Ê Object replication 
- 
“a 


Azure CDN Destination account Source container Destination container Filters 
Add Azure Search v examreidess 
Edit rules A 
B Litecycie Management data dotadest 
Download rules 4 
B Blob inventory (preview 
Objects copied inte Delete rules a 
File service 
Source account Source container Destination container Filters 
@ File shares 


No replication policies found 


FIGURE 2-28 Replication rules 
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O.pdf 


Blob 


L Download O Refresh fi) Delete Z Change tier S 


Overview Versions Snapshots Edit Generate SAS 


Properties 

URL https://cs21003bffd965... 
LAST MODIFIED 10/24/2020, 9:07:24 AM 
CREATION TIME 10/24/2020, 9:07:24 AM 
VERSION ID 

TYPE Block blob 

SIZE 304.65 KiB 

ACCESS TIER Hot (Inferred) 

ACCESS TIER LAST MODIFIED N/A 

SERVER ENCRYPTED true 

ETAG 0x8D8781DC039DB48 
CONTENT-TYPE application/pdf 

CONTENT-MD5 IpKgomPc11X7QCKm7cqz2g== 
LEASE STATUS Unlocked 

LEASE STATE Available 


LEASE DURATION 
COPY STATUS 
COPY COMPLETION TIME 


Undelete 


Object replication 


Policy ID Rule ID Status 

b13b0e94-fb7b-4507-afes- 48d5e482-9331-4e84-8086, Complete 
Metadata 

Key Value 


FIGURE 2-29 Replication status 


There are certain limitations with blob object replication that are crucial to review before 
implementation: 


= Object replication doesn’t work with the Archive tier. 
m Blob snapshots and immutable snapshots are not supported with object replication. 


m Object replication doesn’t work with accounts with a hierarchical namespace (Azure 
Data Lake Storage Gen2). 


= Because block blob data is replicated asynchronously, there is no SLA on when accounts 
are in sync. However, you can check the replication status of a blob. 


m The source account can only have a maximum of two destination accounts. 


m Once you create a replication policy, the destination container is read-only, and you can 
no longer perform write operations against it. 
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Skill 2.3: Configure Azure Files and Azure Blob Storage 


Azure Files is a fully managed file share service that offers endpoints for the Server Message 
Block (SMB) protocol, also known as Common Internet File System or CIFS. This allows you to 
create one or more file shares in the cloud (with default max size as 5 TiB per share). You can 
enable large file share for a storage account and create file shares up to 100 TiB. Also, if you are 
using the Premium SKU, you get 100 TiB by default. Azure Files can be used for similar uses as 
a regular Windows file server, such as shared storage or for new uses such as part of a lift and 
shift migration strategy. 


This section covers how to: 


Create an Azure file share 

Create and configure Azure File Sync service 
Configure Azure Blob Storage 

Configure storage tiers for Azure blobs 


Configure blob Lifecycle Management 


Create an Azure Fileshare 


There are several common use cases for using Azure files. A few examples include the 
following: 


= Migration of existing applications that require a file share for storage 


= Shared storage of files, such as web content, log files, application configuration files, or 
even installation media 


m Replace an existing fileserver 


Figure 2-30 shows the hierarchy of files stored in Azure Files. 


Storage Account Folders Files 


examrefstorage A 


FIGURE 2-30 Azure Files entities and relationship hierarchy 
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Creating an Azure file share 


To create a new Azure file share using the Azure portal, open an Azure Storage account, 

click the File Shares link, and then click the + File Share button. In the dialog box shown in 
Figure 2-31, you must provide the file share name and the quota size, which can be a maximum 
size of 5,120 GiB. 


New file share x 
Name * 
examrefshare z 
Quota © 
5120 v 
GiB 


FIGURE 2-31 Adding a new share with Azure files 


Connecting to Azure Files outside of Azure 


Because Azure Files provides support for SMB 3.0, it is possible to connect directly to an Azure 
file share from a computer running outside of Azure. In this case, remember to open the out- 
bound TCP port 445 in your local network. Many companies block 445 because of the insecure 
nature of SMB 1.0. Please check your network connections if you have problems connecting. 
Alternatively, you can leverage virtual private network or ExpressRoute where port 445 can't 
be unblocked. Note that Windows 7 and Windows Server 2008 R2 do not support SMB 3.0. 


MOREINFO HOW TO REMOVE SMB V1 

In order to disable SMB v1 from your environment, you can disable the smb1protocol feature. 
See following link for more details. https://docs.microsoft.com/windows-server/storage/ 
file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3#how-to-gracefully- 
remove-smb-v1-in-windows-81-windows-10-windows-2012-r2-windows-server-2016-and- 
windows-server-2019. 


Connect and mount with Windows File Explorer 


There are several ways to mount an Azure file share from Windows. The first is to use the Map 
Network Drive feature within Windows File Explorer. Open File Explorer, right-click This PC, 
and then click the Map Network Drive option, as shown in Figure 2-32. 
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ee 


Collapse sktop 
fa Manage cuments 

Pin to Start wnloads 
Map network drive... isic 
Open in new window lame 
Pin to Quick access 

eos 
Disconnect network drive... 

tal Disk (C:) 


Add a network location nporary Storage 


Delete 
vork 


Rename 


Properties 


FIGURE 2-32 The Map Network Drive option from This PC 


When the dialog box opens, specify the following configuration options, as shown in 
Figure 2-33: 


= Folder. \\[name of storage account].files.core.windows.net\[name of share] 


= Connect Using Different Credentials. Select this option. 


x 

È Map Network Drive 
What network folder would you like to map? 
Specify the drive letter for the connection and the folder that you want to connect to: 
Drive: Z: a 
Folder: \\erstandard01 file,core.windows.net\logg Y Browse.. 

Example: \\server\share 

Reconnect at sign-in 

Connect using different credentials 

Connect to a Web site that you can use to store your documents and pictures. 

Finish Cancel 


FIGURE 2-33 Mapping a Network Drive to an Azure file share 


When you click Finish, you will see another dialog like the one shown in Figure 2-34 that 
requests the username and password to access the file share. The username should be in the 
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following format: Azure\ [name of storage account], and the password should be the access key 
for the Azure Storage account. 


Windows Security x 


Enter network credentials 


Enter your credentials to connect to: 
erstandard01 file.core.windows.net 


(2) AZURE\erstandard01 


pececcccccccccccccsococcese: © 
Domain: AZURE 


0g Remember my credentials 


More choices 


OK Cancel 


FIGURE 2-34 Specifying credentials to the Azure file share 


Connect and mount with the net use command 


You can also mount the Azure file share using the Windows net use command as the following 
example demonstrates: 


net use x \\erstandard01.file.core.windows.net\logs /u:AZURE\erstandard01 


r21Dk4qgY1HpcbriySwrBxnXnbedZLmnRK3N49PfaiL1t3ragpQaIB7FqąK5zbez/sMnDEzEu/dgA9Nq/W7IF4A== 


Automatically reconnect after reboot in Windows 


To make the file share automatically reconnect and map to the drive after Windows is 
rebooted, use the following command (ensuring you replace the placeholder values): 


cmdkey /add:<storage-account-name>.file.core.windows.net /user:AZURE\<storage- 
account-name> /pass:<storage-account-key> 


net use Z: \\<storage-account-name>.file.core.windows.net\<file-share-name> / 
persistent:yes 


Connect and mount from Linux 


Use the mount command (elevated with sudo) to mount an Azure file share on a Linux virtual 
machine. In this example, the logs file share would be mapped to the /1ogs mount point. 


sudo mount -t cifs //<storage-account-name>.file.core.windows.net/logs /logs -o 
vers=3.0,username=<storage-account-name>. , password=<storage-account-key>, 
dir_mode=0777 , fi le_mode=0777 , sec=ntImssp 
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Create and configure Azure File Sync service 


Azure File Sync extends Azure Files to allow on-premises file services to be extended to Azure 
while maintaining performance and compatibility. 


Some of the key functionality Azure File Sync provides: 
= Multi-site access The ability to write files across Windows and Azure Files. 
= Cloud tiering Storage only recently accessed data on local servers. The rest of the 
data gets tiered to Azure in a storage account. 
= Azure Backup integration Backup in the cloud. 
m Fast disaster recovery Restore file metadata immediately and recall as needed. 


Create the Storage Sync Service instance in the portal by navigating to Create A Resource 
and then search for Azure File Sync. The creation blade requires the name of the Storage 
Sync Service, the Subscription, Resource Group, and the Region to create the Azure File 
Sync Service, as shown in Figure 2-35. 


Home > New > Marketplace > Azure File Sync > Deploy Azure File Sync 


Deploy Azure File Sync 


Basics* Tags Review + create 


Azure File Sync in combination with Azure file shares allows you to centralize your organization's file shares in Azure, while 
keeping the flexibility, performance, and compatibility of an on-premises file server. Learn more 


Ə Storage Sync Service 
Microsoft 


Deploying this storage sync service resource will allow you to transform your Windows Server into a quick cache for Azure 
file shares with optional cloud tiering and multi-server sync functionality. Keep in mind that servers registered to different 
storage sync service resources cannot exchange data with each other. It's best to register all servers to the same storage 
sync service if they will ever have a need to sync the same Azure file share. 


Subscription * Visual Studio Ultimate with MSDN Vv 
Resource group * (New) examrefRG Vv 
Create new 
Storage sync service name * [ examrefStorageSync A ] 
Region * (Canada) Canada East Vv 


FIGURE 2-35 Deploy Azure File Sync—Basic blade 


Create Azure sync group 


You can create a sync group to define the topology for how your file synchronization will take 
place. Within a sync group, you will add server endpoints, which are file servers and paths 
within the file server you want the sync group to sync with each other. Figure 2-36 shows the 
settings for creating a sync group using the Azure portal. 
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Deploying the Azure File Sync agent 


To add endpoints to your Azure Files sync group, Internet Explorer Enhanced Security con- 
figuration must be disabled before installing the agent. It can be re-enabled after the initial 
installation. 


1. Install the latest Azure PowerShell module on the server. See the following for installa- 
tion instructions: https://go.microsoft.com/fwlink/?linkid=856959. 


Sync group O x 


Start by specifying an Azure file share to sync with - this is the sync group's first cloud 
endpoint. 


You can specify a folder on your servers you want to sync later. 


Learn more 


Sync group name [ examrefSyncGroup v] 


1st Cloud endpoint 


Subscription | Visual Studio Ultimate with MSDN Vv | 
Storage account | Select storage account 


| /subscriptions/00b72028-9dce-4729-9b2a-a10e9205... ~ 


A if you have previously configured Azure Data Box to 
import data to the cloud, do not specify a file share 
that contains that data. Instead, use an empty file 
share as a cloud endpoint. 


Specify the share with Azure Data Box content when 
you add the server endpoint later. 


Azure File Share 


examrefshare Vv 


FIGURE 2-36 Creating a Sync Group and specifying the Azure file share 


2. Register a server to the sync group by installing the Azure File Sync Agent on each 
server. The agent can be downloaded from the Microsoft Download Center at https:// 
go.microsoft.com/fwlink/2linkid=858257. The installer is pictured in Figure 2-37. 
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Azure File Sync - 


& Sign in and register this server 


Sign in to Azure to register with an existing Storage Sync Service. 
To create a new Storage Sync Service, go to the Azure portal. 


I am signing in as a Cloud Solution Provider i | 


Tenant ID 


Azure Environment 
Azure Public Cloud 
Azure Public Cloud 
Azure US Government Cloud 


FIGURE 2-37 Installing the Azure File Sync Agent 


3. After the agent is installed, sign in with the Azure credentials for your subscription, as 
shown in Figure 2-38. 


Azure File Sync 


Sign in to your account 


- | Microsoft 


& fe Signin 


Email, phone, or Skype rage Sync Service. 


i g e Azure portal. 
jo account? Cr 


FIGURE 2-38 Signing into the Azure Storage Sync Agent 
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4. Next, register the server with the Storage Sync Service, as shown in Figure 2-39. 


Choose a Storage Sync Service 


Azure Subscription 


Visual Studio Ultimate with MSDN z 


Subscription ID: 00b72028-9dce-4729-9b2a-a10e92054447 
Resource Group 


ExamRefRg v 


Storage Sync Service 


examreffilesync y 


FIGURE 2-39 Registering the server with the Storage Sync Service 


Adding a server endpoint 


After the server is registered, you must navigate back to the sync group in the Azure portal and 
click Add Server Endpoint. In the Registered Server drop-down menu, you will find all the 
servers that have the agent installed and associated with this sync service. 


Enable cloud tiering to only store frequently accessed files locally on the server while all 
your other files are stored in Azure Files. This is an optional feature that is configured by a 


policy. 


MOREINFO CLOUD TIERING OVERVIEW 


You can learn more about configuring cloud tiering at https://docs.microsoft.com/azure/ 
storage/files/storage-sync-cloud-tiering. 


Figure 2-40 shows the blade in the Azure portal to add the server endpoint. Ensure that you 
are only syncing the location to one sync group at a time and that the path entered exists on 
the server. 
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Add server endpoint 


A server endpoint integrates an entire volume or a subfolder of a volume from a registered 
server as a location to sync. The following considerations apply: 


© Servers must be registered to the storage sync service that contains this sync group 
before you can add a location on them here. 


e A specific location on the server can only sync with one sync group. Syncing the same 
location or even a part of it - with a different sync group doesn't work. 


© Make sure that the path you specify for this server is correct. 


Learn more 


Registered Server ExamRefFS v 


Path DAData 


Cloud Tiering transforms your server endpoint into a cache for ybyr files in the Azure file 
share. Different policies help you to fine tune your cache behavior. 


Learn more 


D] 


FIGURE 2-40 Adding a server endpoint to the Azure Storage Sync Service. 


Monitoring synchronization health 


Open the sync group in the Azure portal. A health indicator is displayed by each of the server 
endpoints; green indicates a healthy status. Click the endpoint to see stats such as the number 
of files remaining, size, and any resulting errors, as shown in Figure 2-41 


MOREINFO TROUBLESHOOTING AZURE FILE SYNC 


Keep up with the latest issues and learn more about troubleshooting Azure File Sync at https:// 
docs.microsoft.com/azure/storage/files/storage-sync-files-troubleshoot. 
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LAST STATUS 


examrefsyncgroup 
E Add server endpoint | ©) Refresh Ú Delete 

1 cloud endpoints 
AZURE FILE SHARE PROVISIONING STATE RESOURCE GROUP 
examreffiles ExamRefRG 
1 server endpoints 
SERVER HEALTH FILES NOT SYNCING SYNC ACTIVITY PATH CLOUD TIERING 
ExamRefFs © Pending CAData Never 


FIGURE 2-41 Monitoring the health of a new server endpoint 


Configure Azure Blob Storage 


This section describes the key features of the blob storage provided by each storage account. 
Azure Blob Storage is used for large-scale storage of arbitrary data objects, such as media files, 


log files, and so on. 


Blob containers 


Figure 2-42 shows the layout of the blob storage. Each storage account can have one or more 
blob containers and all blobs must be stored within a container. Containers are similar in 
concept to a hard drive on your computer, in that they provide a storage space for data in your 
storage account. Within each container, you can store blobs, much as you would store files on a 
hard drive. Blobs can be placed at the root of the container or organized into a folder hierarchy. 


Storage Account Containers Blobs 


examrefstorage a 


FIGURE 2-42 Azure storage account entities and hierarchy relationships 
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Each blob has a unique URL. The format of this URL is as follows: https://[account name]. 
blob.core.windows.net/[container name]/[blob path and name]. 

Optionally, you can create a container at the root of the storage account, by specifying 
the special name $root for the container name. This allows you to store blobs in the root 
of the storage account and reference them with URLs such as: https://[account name] .blob. 


core.windows.net/fileinroot. txt. 


Understanding blob types 


Blobs come in three types, and it is important to understand when each type of blob should be 
used and what the limitations are for each. 


= Page Blobs. Optimized for random-access read and write operations. Page Blobs are 
used to store virtual disk (VHD) files which using unmanaged disks with Azure virtual 
machines. The maximize Page Blob size is 8 TB. 

= Block Blobs. Optimized for efficient uploads and downloads, for video, images, and 
other general-purpose file storage. The maximum Block Blob size is slightly more than 
4.75 TB. 

= Append Blobs. Optimized for append operations. Updating or deleting existing 
blocks in the blob is not supported. Up to 50,000 blocks can be added to each Append 
Blob, and each block can be up to 4MB in size, giving a maximum Append Blob size of 
slightly more than 195 GB. Page Blobs are most commonly used for log files. 


Blobs of all three types can share a single blob container. 


EXAM TIP 

The type of the blob is set at creation and cannot be changed after the fact. Acommon 
problem that might show up on the exam is if a . vhd file was accidently uploaded as a Block 
Blob instead of a Page Blob. The blob must be deleted first and reuploaded as a Page Blob 
before it can be mounted as an OS or data disk to an Azure VM. 


MOREINFO BLOB TYPES 


You can learn more about the intricacies of each blob type here: https://docs.microsoft.com/ 
rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs. 


Managing blobs and containers (Azure portal) 

You can create and manage containers through the Azure portal, Azure Storage Explorer, 
third-party storage tools, or through the command-line tools. To create a container in the 
Azure management portal, open a storage account by clicking All Services > Storage 
Accounts, and then choosing your storage account. Within the storage account blade, click 
the Blobs tile, and then click the + Container button, as shown in Figure 2-43. See Skill 2.1 for 
more information on setting the public access level. 
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New container x 


Name * 


examrefcontainer1 {v 


Public access level © 


tess level Private (no anonymous access) 


Private (no anonymous access) 


+ Blob (anonymous read access for blobs only) 


Container (anonymous read access for containers and blobs) 


FIGURE 2-43 Creating a container using the Azure management portal 


After a container is created, you can also use the portal to upload blobs to the container, as 
demonstrated in Figure 2-44. Click the Upload button in the container and then browse to the 
blob to upload. If you click the Advanced button, you can select the blob type (Blob, Page, or 
Append), the block size, and optionally, a folder to which the blob is to be uploaded. 


ante) ex esamretoorra reri Upload blob 
r examrefcontainer! 


FIGURE 2-44 Uploading a blob to a storage account container 


MOREINFO MANAGING BLOB STORAGE WITH POWERSHELL 


The Azure PowerShell cmdlets offer a rich set of capabilities for managing blobs in storage. 
You can learn more about their capabilities here: https://docs.microsoft.com/azure/storage/ 
blobs/storage-how-to-use-blobs-powershell. 


MORE INFO MANAGING BLOB STORAGE WITH THE AZURE CLI 


The Azure CLI also offers a rich set of capabilities for managing blobs in storage. You can 
learn more about their capabilities here: https://docs.microsoft.com/azure/storage/common/ 
storage-azure-cli. 
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Managing blobs and containers (Storage Explorer) 


Azure Storage Explorer provides rich functionality for managing storage data, including blobs 
and containers. To create a container, expand the Storage Accounts node, expand the storage 
account you want to use, and right-click the Blob Containers node. This will open a new menu 
item where you can create a blob container, as shown in Figure 2-45. 


4 W Storage Accounts 
> Ge csgO0b720289dcex4729x9b2 


a & examref 


4 [ul Blob Containers 


P destcontainer Create Blob Container 


PF examrefcontainer 


PA srccontainer Configure CORS Settings... 
> File Shares Configure Soft Delete Policy... 
> [if Queues Search From Here 
> i Tables Refresh 


a & pocrgdiag485 
a Fy Blob Containers 
Pl bootdiagnostics-scovm-Ocb8: 


FIGURE 2-45 Creating a container using the Azure Storage Explorer 


Azure Storage Explorer provides the ability to upload a single file or multiple files at once. 
The Upload Folder feature provides the ability to upload the entire contents of a local folder, 
re-creating the hierarchy in the Azure Storage Account. Figure 2-46 shows the two upload 
options. 


I examrefcontainer m X 


T v © + B- D i =j x a q 
anl Danoin- Onen: Ment Folik: -Sat A Copy Clone with New Name Delete Create Snapshot Manage Snapshots 
Upload Folder.. | 
Upload Files... jobs (default) v  examrefcontainer 


Name “| Access Tier Access Tier Last Modified Last Modified Blob Type Content Type Size 


FIGURE 2-46 Uploading files and folders using Azure Storage Explorer 


Soft Delete for Azure Storage blobs 


The default behavior of deleting a blob is that the blob is deleted and lost forever. Soft Delete 
is a feature that allows you to save and recover your data when blobs or blob snapshots are 
deleted even in the event of an overwrite. This feature must be enabled on the Azure Storage 
account, and a retention period must be set for how long the deleted data is available (see 
Figure 2-47). 
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Home > examref | Data protection 


a] examref | Data protection 


Save X Discard (8) Refresh 


= Data protection provides options for recovering your data when it is erroneously modified or deleted. 
Blob service 
Blob soft delete í 
Ml Containers O Disabled (@) Enabled 


E Custom domain Retention policies 


@ Data protection Blob retainment period in days 
& Azure CDN © A 
days 

æ Add Azure Search 
I Lifecycle Management 

Q You must opt-in on a per-subscription basis to utilize container soft delete, Opt-in for container soft delete 
File service 
@ File shares 


FIGURE 2-47 Enabling soft delete on an Azure Storage account 


¢, EXAM TIP 


The maximum retention period for soft delete is 365 days. 


MOREINFO SOFT DELETE FOR AZURE STORAGE BLOBS 


You can learn more about using Soft Delete with Azure Blob Storage here: 
https://docs.microsoft.com/en-us/azure/storage/blobs/soft-delete-blob-overview 


Configure storage tiers for Azure blobs 


As discussed in Skill 2.1, Azure Blob Storage supports three access tiers: Hot, Cool, and Archive. 
Each represents a trade-off of performance, availability, and cost. There is no trade-off on the 
durability (probability of data loss), which is extremely high across all tiers. 


Account-level tiering 

The storage account blobs can coexist between three tiers within the same account. If any blob 
does not have an assigned tier, it infers the access tier from the account access tier setting by 
default. In such a scenario, you will see that the access tier’s Inferred blob property is set to 
true, and the Access Tier blob property matches the account level tier. In the Azure portal, the 
Inferred property for the Access Tier is displayed, as shown in Figure 2-48. 
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Hoene eramrat ntainer examretcontainer 
r examrefcontainer 
T Upload Ñ Change accesslevel C) Refresh 
E Authentication method: Access key (nit! ure AL 
M Overview 
Location: examrefcontainer 
Access Control (IAM) 
Settings 
Name Modified Access tier Blob type Size 
T Access poiicy 
5| Technicaldoc 5/9/2020, 9:49:33 AM Hot Block blob 445 KiB 
l Properties — 
Lj UserCreateTernptate cov 5/8/2020, 10:52:13 PM Hot (Inferred) Block blob 6628 
© metadata 


FIGURE 2-48 Access tier property for account level tiering 


NOTE CHANGE ACCOUNT ACCESS TIER 


Changing the account access tier applies to all access tier-inferred objects stored in the 
account that don't have an explicit tier set. 


Blob-level tiering 


The blobs can be assigned with the desired access tier while you upload them to the con- 
tainer (see Figure 2-49). You can also change access tier among the Hot, Cool, or Archive tiers 
(because usage patterns change) without having to move data between accounts. All requests 
to change tier will take place immediately between Hot and Cool tiers. 


NOTE ARCHIVE STORAGE TIER 


Data in the Archive storage tier is stored offline and must be rehydrated to the Cool or Hot tier 
before it can be accessed. This process can take up to 15 hours. 


When the access tier is changed, the access tier’s Last Modified property will be updated 
with the time when recent change is made to the tier (see Figure 2-50). 
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Upload blob x 


examrefcontainer 


Files © 
"Technical,doc" | 9 


@ Overwrite if files already exist 


^ Advanced 


Authentication type © 

( Azure AD user account { Account key )} 

Blob type © 

Block blob Vv | 


@ Upload .vhd files as page blobs (recommended) 


Block size © 
| 4MB v] 


Access tier © 


| Hot (Inferred) AN | 


Hot (Inferred) 
Hot 
Cool 


Archive 


Upload 


FIGURE 2-49 Changing access tier while uploading the blobs to container 


Change access tier 

Changing access tier can occur either at account level or at individual blob level. At the 
account level, it can be performed by setting the access tier in the Configuration blade (the 
default option unless assigned it explicitly) or by using the new Lifecycle Management 
feature. At an individual blob level, the same can be achieved by using the Change Tier 
option for the blob. 
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Technical.doc 
Blob 
5 x i $ Download Č) Refresh [li] Delete Z Change tier g” Acquire lease 
Overview Snapshots Edit Generate SAS 
Properties 
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LAST MODIFIED 5/9/2020, 9:49:33 AM 
CREATION TIME 5/9/2020, 9:49:33 AM 
VERSION ID 
TYPE Block blob 
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ACCESS TIER 
ACCESS TIER LAST MODIFIED 
SERVER ENCRYPTED true 
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LEASE STATUS Unlocked 
LEASE STATE Available 
LEASE DURATION 
COPY STATUS 
COPY COMPLETION TIME 
Metadata 
Key Value 
| | 


FIGURE 2-50 Access tier Last Modified property for the blob 


NOTE CHANGING THE ACCESS TIER 


Changing the account access tier will result in tier change charges for access tier—-inferred 
blobs stored in the account that does not have an explicit tier set. 


To make a change at account level, browse to the storage account, click the Configuration 
blade, and change Access Tier(Default) to Cool or Hot (see Figure 2-51). 


Similarly, to make a change at blob level, browse to a blob, then click the Change Tier 
option, and select the Access Tier from the drop-down menu; your options are Hot, Cool, or 
Archive (see Figure 2-52). 
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Storage account 


D Search (Ctri+/) 
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t 
d 
=) 
= 


Overview 

Activity log 

Access control (IAM) 

Tags 

Diagnose and solve problems 
Data transfer 

Events 


Storage Explorer (preview) 


Settings 


Access keys 

Geo-replication 

CORS 

Configuration 

Encryption 

Shared access signature 
Firewalls and virtual networks 
Private endpoint connections 
Advanced security 

Static website 

Properties 

Locks 


Export template 


Save Se Discard 
The cost of your storage account depends on the usage and the options you choose below. 
Learn more 


Account kind 
StorageV2 (general purpose v2) 


Performance © 
Secure transfer required © 


CEED Enabled ) 


Access tier (default) © 


i) Changing the access tier may result in additional charges. Click here to learn more. 


Replication © 


| Read-access geo-redundant storage (RA-GRS) 


(i) The current combination of storage account kind, performance, replication and location does 
Learn more. 


Identity-based access for file shares 
Azure Active Directory Domain Service (AAD DS) © 


( Disabled Enabled ) 


Active Directory (AD) © 


How to domain join this storage account 


FIGURE 2-51 Change the access tier 


Configure blob Lifecycle Management 


Azure Storage has a lifecycle-management capability, and it can be used to transition data to 
lower-access tiers automatically based on pre-configured rules. You can also delete the data at 
the end of its lifecycle. These rules can be executed against the storage account once per day. 


Specific blobs and containers can be targeted using filter sets. 


To configure the Lifecycle Management rules, open the storage account, browse to 
Lifecycle Management under Blob Service, and click Add A Rule (see Figure 2-53). You 
can define up to 100 rules. 
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FIGURE 2-52 Change Tier on the Configuration blade 


Home > Microsoft StorageAccount-20201207222950 > examref 
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Storage account 
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FIGURE 2-53 Add Rule option on the Lifecycle Management blade 
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You can limit the rule scope with a filter set by selecting Limit Blobs With Filters, as shown 
in Figure 2-54. You can also select the Blob Type and Blob Subtype that should be applicable 
to this rule. Under Blob Type, you can choose Block Blobs or Append Blobs. Under Blob 
Subtype, your choices are Base Blobs, Snapshots, and Versions. Now click Next. 


Home > Microsoft.StorageAccount-20201207222950 > examref 


Add a rule 


@ Details 


A rule is made up of one or more conditions and actions that apply to the entire storage account. Optionally, specify that 
rules will apply to particular blobs by limiting with filters. 


Rule name * 
ExamRefRule 
Rule scope * 
) Apply rule to all blobs in your storage account 
@) Limit blobs with filters 


Blob type * 


@ Block blobs 


|_| Append blobs 


Blob subtype * 


@ Base blobs 


C] Snapshots 


| | Versions 


FIGURE 2-54 Setting rule options on the Add A Rule blade 


You can configure rules in the Base Blobs section to define the blob lifecycle policy. You 
can create multiple if-then blocks to define the conditions. For example, you can move blob 
data to Cool storage if it is not modified for specified number of days. Similarly, you can also 
create rules to move blobs to archive storage or delete them if not modified for defined num- 
ber of days. In Figure 2-55, the condition has been created for 30 days, and all three actions are 
shown in the drop-down menu. Click Next to configure the filter set. 

In the Filter Set, you can specify the prefix to find items within the container. You need to 
specify the container name/prefix. For example, you could choose use data/cost where data is 
the name of the container and cost is the prefix, as shown in Figure 2-56. You can also use the 
Blob Index Match if you have indexed the items with keys and values in your containers. You 
can specify up to 10 various prefixes per rule. 
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Home > Microsoft.StorageAccount-20201207222950 > examref > 


Add a rule 


@ Details © Base blobs Filter 


Lifecycle management uses your rules to automatically move blobs to cooler tiers or to delete them. If you create multiple 
rules, the associated actions must be implemented in tier order (from hot to cool storage, then archive, then deletion), 


++ Add if-then block 


if 5 


Base blobs were * 
\ O ) Last modified 


More than (days ago) * 
30 


Then 


Move to cool storage v 


Move to cool storage 

This is the most reliable option if cost is not a priority. 

Move to archive storage 

Archive storage does not fully delete the blob. However, it cannot be moved back to cool storage. 
Delete the blob 

This is the most efficient option if backing up a blob is not a priority. 


FIGURE 2-55 Base Blobs section for a rule 


Home > examref > 


Add a rule 


@ Details  @ Base blobs © Filter set 


Prefix match 


A prefix match will find items like folders and blobs that start with the specified input. For example, inputting “a" would 
return any folders or blobs that start with "a". To find items in a specific container, enter the name of the container first, 
and then provide the desired prefix query for any contents within the container, for example: "myContainer/prefix". 


| data/cost | i 


| Enter a prefix or file path such as “*myContainer/prefix" | 


Blob index match 
If you have indexed items in containers with keys and values, you can filter for them. 


Key Value 


| Enter an index key == Vv | Enter a value 


FIGURE 2-56 Filter Set for a rule 
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Now click Add to create the rule. 


Once created, the consolidated view of the code is shown on the Code View tab, as shown 
in Figure 2-57. 
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Lifecycle management offers a rich, rule-based policy for general purpose v2 and blob storage accounts. 
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& Locks 18 "“tierToCool": { 
11 “daysAfterModificationGreaterThan": 3@ 
Blob service 12 } 
13 } 
= Containers 14 } 
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E Custom domain 16 "blobTypes": [ 
@ Data protection 17 "blockBlob" 
18 L 
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@® Azure CDN 21 
] 
22 } 
æ Add Azure Search 
23 } 
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25 ] 
a Blob inventory (preview) 26 } 


FIGURE 2-57 Action set for a rule under Lifecycle Management blade 


NOTE LIFECYCLE MANAGEMENT EFFECT 


The policy can take up to 24 hours to go into effect, and then the action can take an additional 
24 hours to run. Overall, it takes up to 48 hours for policy actions to complete once you set up 
Lifecycle Management. 


You can delete the rule anytime if not required anymore by visiting the Lifecycle 
Management blade. 
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Thought experiment 


In this thought experiment, apply what you have learned about this objective. You can find 
answers to these questions in the next section. 


You are asked to design Azure Storage solution for one of large insurance company. The 
company wants the data to be accessible based on the role of individual user within the organi- 
zation. Various departments have their separate dataset which they access on a daily basis. 

The company wants to restrict users from modifying the data to other departments, but all the 
users must be able to access the data across departments. 


Also, there is a requirement to store that data forever with minimal cost possible. The data is 
rarely used after two years from the date it was last modified. 


= What steps should you take to assign the storage access based on their department? 


m What changes need to be made in order to keep storing data forever with minimal cost? 


Thought experiment answers 


This section contains the solution to the thought experiment for the chapter. 


To solve this problem, we can leverage various capabilities of Azure Storage, such as Azure 
AD authentication with role-based access control and lifecycle-management for the Blob 
Storage. 


1. Create an Azure Storage account and create container for each department to store 
its data. Next, you can assign the Storage Blob Data Reader role for all the depart- 
ment groups but assign the Storage Blob Data Contributor role for their department 
group. This allows users to access all department data, but they can modify only their 
department data. 


2. Create a rule under Lifecycle Management for the storage account and select the Apply 
Rule To All Blobs In Your Storage Account option. Then, add an if-then block to move 
data to archive tier after 730 days (two years). This will let you store the data forever with 
minimal cost in the Archive tier. 


Chapter summary 


This chapter covered several key services related to implementing storage in Microsoft Azure. 
Topics included how to create and manage Azure Storage Accounts, Blob Storage, Azure Files, 
import and exporting data, Storage Explorer, AzCopy, Lifecycle Management, and object 
replication. 

Below are some of the key takeaways from this chapter: 


m Azure Storage accounts provide four separate services: Blob Storage, Table Storage, 
Queue Storage, and Azure Files. It is important to understand the usage scenarios of 
each service. 
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Standard storage accounts use magnetic drives and provide the lowest cost per GB. This 
type of account is best suited for applications that require bulk storage or where data is 
accessed infrequently. 


Premium storage accounts use solid state drives and offer consistent, low-latency 
performance. This type of account can only be used with Azure virtual machine disks 
and are best for |/O—intensive applications, like databases. 


Storage accounts must specify a replication mode. The options are locally redundant, 
zone-redundant, geo-redundant, read-access geo-redundant storage, geo zone- 
redundant, and read-access geo zone-redundant. 


Blob Storage supports three types of blobs (Block, Page, and Append blobs), and three 
access tiers (Hot, Cool, and Archive). 


There are three kinds of storage accounts: General-Purpose V1, General-Purpose V2, 
and Blob Storage. The availability of features varies between storage account types. 


Azure Storage can be managed through several tools directly from Microsoft: Azure 
portal, PowerShell, CLI, Storage Explorer, and AzCopy. It is important to know when to 
use each tool. 


Access to storage accounts can be controlled using several techniques. Among them 
are: Azure AD authentication; storage account name and key; SAS; SAS with access pol- 
icy; and using the storage firewall and virtual network service endpoints. Access to Blob 
Storage can also be controlled using the public access level of the storage container. 


You can also use AzCopy to copy files between storage accounts or from outside 
publicly accessible locations to your Azure Storage account. 


Azure Storage has a lifecycle-management capability, and it can be used to transi- 
tion data to lower-access tiers automatically based on preconfigured rules. You can 
also delete the data at the end of its lifecycle. These rules can be executed against the 
storage account once per day. Specific blobs and containers can be targeted using 
filter sets. 


Azure Storage also provides blob object replication capabilities that provide asynchro- 
nous replication of Block Blobs from one storage account to another. The blobs are 
replicated based on the defined replication rules. 

You can leverage object replication only when blob versioning is enabled for both the 
source and destination storage accounts, and the blob change feed is enabled for the 
source storage account. 
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Deploy and manage Azure 
compute resources 


Microsoft Azure offers many features and services that can be used to create inventive solu- 
tions for almost any IT problem. Some of the most common services for designing these solu- 
tions are Microsoft Azure virtual machines (VM) and VM scale sets (VMSS). Virtual machines 
are one of the key compute options for deploying workloads in Microsoft Azure. 


The flexibility of virtual machines makes them a key scenario for many workloads. For 
example, you have a choice of server operating systems with various supported versions 
of Windows and Linux distributions. Azure virtual machines also provide you full control 
over the operating system along with advanced configuration options for networking and 
storage. In addition to VM capabilities, VM scale sets provide the unique ability to scale out 
certain types of workloads to handle large processing problems, and they optimize cost by 
only running instances when needed. 


In addition to this, you have other compute services, Azure Kubernetes Service (known as 
AKS) and Azure Container Instances (known as ACI) which are comparatively new in the mar- 
ket. With the wide adoption of containerized workloads across many IT companies, Microsoft 
is also heavily investing in enhancing their current product set to support container-based 
workloads. We also have services, such as Azure App Service and its App Service Plans to 
manage and host Web applications. 


In this chapter, you will learn the ins-and-outs of deploying and managing these compute 
resources in Azure as we cover creation through the Azure portal and the command line 
tools, automation with templates, as well as core management tasks. 


Skills covered in this chapter: 


m Skill 3.1: Automate deployment of virtual machines (VMs) by using Azure Resource 
Manager templates 


m Skill 3.2: Configure VMs for high availability and scalability 
m Skill 3.3: Configure VMs 
m Skill 3.4: Create and configure containers 


m Skill 3.5: Create and configure Azure App Service 
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Skill 3.1: Automate deployment of virtual machines 
(VMs) by using Azure Resource Manager templates 


The ability to provision virtual machines on-demand using the Azure portal is incredibly pow- 
erful. The true power of the cloud, however, is the ability to automatically deploy one or more 
resources defined in code, such as a script or a template. Use cases such as defining an applica- 
tion configuration, and automatically deploying it on-demand allow teams to be more agile 

by providing dev, test, or production environments in a fast and repeatable fashion. Because 
the configuration is stored as code, changes to infrastructure can also be tracked in a version 
control system. In this skill, you will learn some of the core capabilities for automating workload 
deployments in Azure. 


This section covers how to: 

= Modify Azure Resource Manager (ARM) template 

= Configure a virtual hard disk (VHD) template 

m Deploy from a template 

m Save a deployment as an Azure Resource Manager (ARM) template 


m Deploy virtual machine extensions 


ARM Template Overview 


Azure Resource Manager templates are authored using JavaScript Object Notation (JSON) and 
provide the ability to define the configuration of resources, such as virtual machines, storage 
accounts, and so on in a declarative manner. Templates go beyond just providing the ability 

to create the resources; some resources such as virtual machines also allow you to customize 
them and create dependencies between them. This allows you to create templates that have 
capabilities for orchestrated deployments of completely functional solutions. 


The Azure team maintains a list of ARM templates with examples for most resources. This 
list is located at https://azure.microsoft.com/resources/templates/ and is backed by a source 
code repository in GitHub. If you want to go directly to the source to file a bug, you can access 
it at: https://github.com/Azure/azure-quickstart-templates. 


The basic structure of a resource manager template has most of the following elements: 


{ 
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/ 
deploymentTemplate.json#", 

"contentVersion": "1.0.0.0", 

"parameters": { }, 

"variables": { }, 

"functions": [ ] 
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} 


"resources": [ ], 
"outputs": { } 


$schema The JSON schema file is the reference to the standard structure defined for 
an ARM template, which can help you determine when something is wrong with your 
template in comparison to the schema file syntax. The JSON schema will be used by 
features, such as code completion or Intellisense, which allows you to make changes 
in the templates easily. 


For resource group targeted deployments use: 


https: //schema.management.azure.com/schemas/2019-04-01/deploymentTemplate. json# 


For subscription targeted deployments use: 


https://schema.management. azure. com/schemas/2019-04-01/subscriptionDeployment 
Template. json# 


contentVersion This provides source control to track the changes made in your tem- 
plate. You can provide any value for this element. When deploying resources using the 
template, this value can be used to make sure that the right template is being used. 


parameters Using parameters, we can define the various values that are passed at run- 
time without changing the exact template file. The parameters can be changed by the 
azuredeploy.parameters.json file or in the PowerShell script that is used to deploy your 
template. The parameters are key elements when dealing with nested templates to pass 
the values from parent template to the child templates. 


variables Defines values which are used in your template to simplify template lan- 
guage. Mostly, variables are hard-coded values, but they also can be created dynami- 
cally using parameters or standard template functions. 


functions Users can create functions that can be used within the template. The com- 
plex expressions that are being used multiple times in the template can be defined as a 
function once. You need to create your own namespace and create member functions 
as needed. You cannot access variables or any other user-defined functions within your 
function. 


resources This contains resource that are deployed or updated in a resource group. 
You can define the condition to control the provisioning of each resource. Also, the 
dependsOn determines which resources must be deployed first before a specific resource. 


outputs Here, you can define the type of values that are returned after deployment. 
This section is used to keep a track of resources that are being deployed or updated. 


Defining a virtual network 


This skill is focused on learning how to deploy Windows and Linux virtual machines. A pre- 
requisite of deploying a virtual machine is a virtual network. In Listing 3-1, we will define the 
structure of the virtual network using several variables that describe the address space and 
subnet allocation. 
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LISTING 3-1 Variables for a virtual network creation 


"ExamRefRGPrefix": "10.0.0.0/16", 

"ExamRefRGSubnet1Name": "FrontEndSubnet", 
"ExamRefRGSubnet1Prefix": "10.0.0.0/24", 

"ExamRefRGSubnet2Name": "BackEndSubnet", 
"ExamRefRGSubnet2Prefix": "10.0.1.0/24", 

"ExamRefRGSubnet1Ref": "[concat(variables('vnetId'), '/subnets/', 
variables('ExamRefRGSubnetiName'))]", 


"VNetId": "[resourceId('Microsoft.Network/virtualNetworks', variables('VirtualNetwork 
Name'))]", 
"VirtualNetworkName": "ExamRefVNET", 


After the variables are defined you can then add the virtual network resource to 
the resource’s element in your template. Listing 3-2 creates a virtual network named 
ExamRefVNET, with an address space of 10.0.0.0/16 and two subnets: FrontEndSubnet 
10.0.0.0/24 and BackEndSubnet 10.0.1.0/24. Note the syntax to read the value of variables: 
[variables('variablename')] is used heavily when authoring templates. The virtual network's 
location is set based on the return value of the built-in resourceGroupQ function, which returns 
information about the resource group the resource is being created or updated in. 


LISTING 3-2 Template structure for creating a virtual network 


{ 
"name": "[variables('VirtualNetworkName')]", 
"type": "Microsoft.Network/virtualNetworks", 
"location": "[resourceGroup().location]", 
"apiVersion": "2019-12-01", 
"dependsOn": [], 
"properties": { 
"addressSpace": { 
"addressPrefixes": [ 
"[variables('ExamRefRGPrefix')]" 
] 
}, 
"subnets": [ 
{ 
"name": "[variables('ExamRefRGSubnet1Name')]", 
"properties": { 
"addressPrefix": "[variables('ExamRefRGSubnet1Prefix')]" 
} 
}, 
{ 
"name": "[variables('ExamRefRGSubnet2Name')]", 
"properties": { 
"addressPrefix": "[variables('ExamRefRGSubnet2Prefix')]" 
} 
} 
] 
} 
} 
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Defining a network interface 

Every virtual machine has one or more network interfaces. To create one with a template, adda 
variable to the variables section to store the network interface resource name as the following 
snippet demonstrates: 


"VMNicName": "VMNic" 


Listing 3-3 defines a network interface named WindowsVMNic. This resource has a depen- 
dency on the ExamRefVNET virtual network. This dependency will ensure that the virtual network 
is created prior to the network interface creation when the template is deployed and is a critical 
feature of orchestration of resources in the correct order. The network interface is associated to 
the subnet by referencing the ExamRefRGSubnet1Ref variable. 


LISTING 3-3 Creating a network interface 


{ 
"name": "[variables('VMNicName')]", 
"type": "Microsoft.Network/networkInterfaces", 
"location": "[resourceGroup().location]", 


"apiVersion": "2019-12-01", 
"dependsOn": [ 
"[resourceld('Microsoft.Network/virtualNetworks', 'ExamRefVNET')]" 
I, 
"properties": { 
"ipConfigurations": [ 


{ 
"name": "ipconfigl", 
"properties": { 
"privateIPAllocationMethod": "Dynamic", 
"subnet": { 
"id": "[variables('ExamRefRGSubnet1Ref')]" 
} 
} 
} 
] 
} 
} 
EXAM TIP 


To specify a static private IP address in template syntax, specify an address from the 
assigned subnet using the privateIpAddress property and set the privateIpAllocation 
method to Static. 


"privateIpAddress": "10.0.0.10", 
"privateIpAllocationMethod": "Static", 
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Adding a Public IP Address 


To add a public IP address to the virtual machine, you must make several modifications . The 
first is to define a parameter that the user will use to specify a unique DNS name for the public 
IP. The following code goes in the parameters block of a template: 
"VMPublicIPDnsName": { 
"type": "string", 


"minLength": 1 
} 


The second modification is to add the public IP resource itself. Before adding the resource, 
add a new variable in the variables section store the name of the public IP resource. 
"VMPublicIPName": "VMPublicIP" 
Listing 3-4 shows a public IP address resource with the public IP allocation method set 
to Dynamic (it can also be set to Static). The domainNameLabel property of the IP address 


dnsSettings element is populated by the parameter. This makes it easy to specify a unique 
value for the address at deployment time. 


LISTING 3-4 Creating a network interface 


{ 
"name": "[variables('VMPublicIPName')]", 
"type": "Microsoft.Network/publicIPAddresses", 
"location": "[resourceGroup().location]", 
"apiVersion": "2019-12-01", 
"dependsOn": [ ], 
"properties": { 
"publicIPAllocationMethod": "Dynamic", 
"dnsSettings": { 
"domainNameLabel": "[parameters('VMPublicIPDnsName')]" 
} 
} 
} 


The next modification is to update the network interface resource that the public IP address 
is associated with. The network interface must now have a dependency on the public IP address 
to ensure it is created before the network interface. The following example shows the addition 
to the dependsoOn array, as the following example demonstrates: 

"dependsOn": [ 
"Tresourceld('Microsoft.Network/virtualNetworks', 'ExamRefVNET')]", 
"[resourceld('Microsoft.Network/publicIPAddresses', 


variables('VMPublicIPName'))]" 
ls 


The ipConfigurations -> properties element must also be modified to reference the 
publicIPAddress resource. See Listing 3-5. 
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LISTING 3-5 IP Configurations 


"ipConfigurations": [ 


{ 
"name": "ipconfigl", 
"properties": { 
"privateIPAllocationMethod": "Dynamic" 
"subnet": { 
"id": "[variables('ExamRefRGSubnet1Name')]" 
}, 
"publicIPAddress": { 
"id": "[resourceId('Microsoft.Network/publicIPAddresses', 
variables('VMPublicIPName'))]" 
}, 
} 
} 


] 


Defining a virtual machine resource 


Before creating the virtual machine resource, you will add several parameters and variables to 
define. Each virtual machine requires administrative credentials. To enable a user to specify the 
credentials at deployment time, add two additional parameters for the administrator account 
and the password. 


"VMAdminUserName": { 
"type": "string", 
"minLength": 1 

Fy 

"VMAdminPassword": { 
"type": "string", 
"minLength": 1 

} 


Several variables are needed to define the configuration of the virtual machine resource. 
The following variables define the VM name, operating system image, and the VM size. These 
should be inserted into the variables section of the template. 

"VMName": "MyVM", 

"VMImagePublisher": "MicrosoftWindowsServer", 
"VMImageOffer": "WindowsServer", 
"VMOSVersion": "WS2019-Datacenter", 
"VMOSDiskName": "VM20SDisk", 

"VMSize": "Standard_D2_v2", 
"VM2ImagePublisher": "MicrosoftWindowsServer", 
"VM2ImageOffer": "WindowsServer", 


"VM20SDiskName": "VM20SDisk", 
"VMSize": "Standard_D2_v2" 


The VM has a dependency on the network interface. It doesn’t have to have a dependency 
on the virtual network, because the network interface itself does. This VM is using managed 
disks, so there are no references to storage accounts for the VHD file. Listing 3-6 shows a 
sample virtual machine resource. 
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LISTING 3-6 Virtual machine resource 


{ 
"name": "[parameters('VMName')]", 
"type": "Microsoft.Compute/virtualMachines", 
"location": "[resourceGroup().location]", 
"apiVersion": "2019-12-01", 
"dependsOn": [ 
"Tresourceld('Microsoft.Network/networkInterfaces', variables('VMNicName'))]" 
Ii; 
"properties": { 
"hardwareProfile": { 
"ymSize": "[variablesC'vmSize')]" 
F; 
"osProfile": { 
"computerName": "[variables('VMName')]", 
"adminUsername": "[parameters('VMAdminUsername')]", 
"adminPassword": "[parameters('VMAdminPassword')]" 
}, 
"storageProfile": { 
"jmageReference": { 
"publisher": "[variables('VMImagePublisher')]", 
"offer": "[variables('VMImageOffer')]", 
"sku": "[variablesC'VMOSVersion')]", 
"version": "latest" 
i, 
"osDisk": { 
"createOption": "FromImage" 
} 
J; 
"networkProfile": { 
"networkInterfaces": [ 
{ 
"id": "[resourceId('Microsoft.Network/networkInterfaces', 
variables('VMNicName'))]" 
} 


There are several properties of a virtual machine resource that are critical to its 
configuration. 
m hardwareProfile This element is where you set the size of the virtual machine. Set the 
vmSize property to the desired size, such as Standard_D2_v2. 
m osProfile This element ata basic level is where you set the computerName and 
adminUsername properties. The adminPassword property is required if you do not specify 
an SSH key. This element also supports three sub elements: windowsConfi guration, 


JinuxConfi guration and secrets. 


m osProfile, windowsConfiguration While the example doesn't use this configuration, 
this element provides the ability to set advanced properties on Windows VMs: 


m provisionVMAgent This is enabled by default, but you can disable it. Specify whether 
extensions can be added. 
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m enableAutomaticUpdates Specify whether windows updates are enabled. 
m timeZone Specify the time zone for the virtual machine. 


m additionalUnattendContent Pass unattended install configuration for additional 
configuration options. 


m winkM Configure Windows PowerShell remoting. 


m provisionVMAgent Enabled by default, but you can disable. Specify whether exten- 
sions can be added. 


m disablePasswordAuthentication If set to true you must specify an SSH key. 
m Ssh, publickeys Specify the public key to use for authentication with the VM. 


m osProfile, secrets This element secrets is used for deploying certificates that are in 
Azure Key Vault. 


m storageProfile This element is where OS image is specified, and the OS and data disk 


configuration are set. 


m networkProfile This element is where the network interfaces for the virtual machine 
are specified. 


MOREINFO RESOURCE MANAGER TEMPLATE SCHEMA 
Reading through the Azure resource manager template schema is a great way to learn the 


capabilities of templates. The latest virtual machine schema is published at https://docs. 
microsoft.com/en-in/azure/templates/microsoft.compute/2019-12-01/virtualmachines. 


Modify an Azure Resource Manager template 


Often you will need to modify a template that you have previously used to change the configu- 
ration. As previously mentioned, one of the key concepts of using templates to describe your 
infrastructure (commonly referred to as Infrastructure as Code) is so you can modify it and 
deploy in a versioned manner. To accommodate this behavior ARM supports two different 
deployment modes: complete and incremental. 


MOREINFO INFRASTRUCTURE AS CODE 


Infrastructure as Code (known as laC) is a descriptive model to manage the infrastruc- 
ture. More information can be found at https://docs.microsoft.com/azure/devops/learn/ 
what-is-infrastructure-as-code. 


In complete mode, Azure Resource Manager deletes resources that exist in the resource 
group that are not in the template. This is helpful if you need to remove a resource from Azure 
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and you want to make sure your template matches the deployment. You can remove the 
resource from the template, deploy using complete mode, and it will be removed. 


MOREINFO REST API VERSION AND DEPLOYMENT MODE 


The behavior discussed here really depends on the REST API version. If you use a version ear- 
lier than 2019-05-10, resources are not deleted. Also, there might be other possibilities such as 
resource locks or policy that prevent resources from being deleted. 


In incremental mode, Azure Resource Manager leaves unchanged resources that exist in the 
resource group but aren't in the template. It will update the resources in the resource group if 
the settings in the template differ from what is deployed. Incremental mode can have unin- 
tended impacts on resource properties. If your template doesn’t cover all the properties of a 
resource, then at the time of deployment unspecified properties will be reset to default values 
that can potentially affect to the environment. 


Incremental is the default mode for the Azure portal and when you are deploying through 
the command-line tools or Visual Studio. To use Complete mode, you must use the REST API or 
the command-line tools with the -Mode/--mode parameter set to Complete. 


The following example deploys a template in Complete mode using PowerShell. 


New-AzResourceGroupDep1oyment 
-Mode Complete ' 
-Name simpleVMDeployment 
-ResourceGroupName ExamRefRG ' 
-TemplateFile C:\ARMTemplates\deploy.json 


The example listed below deploys a template in Complete mode using the Azure CLI. 


az group deployment create \ 
--name simpleVMDeployment \ 
--mode Complete \ 
--resource-group ExamRefRG \ 
--template-file deploy.json 


Configure a virtual hard disk template 


It is assumed that you already know the structure of the ARM template. For detailed structure 
and syntax, please refer to https://docs.microsoft.com/en-us/azure/azure-resource-managel/ 
templates/template-syntax. 


In the storageProfile section of a virtual machine resource, you can specify the 


imageReference element that references an image from the Azure Marketplace: 
"jmageReference": { 

"publisher": "[variables('VMImagePublisher')]", 

"offer": "[variables('VMImageOffer')]", 


"sku": "[parameters('VMOSVersion')]", 
"version": "latest" 


Deploy and manage Azure compute resources 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


You also can specify a generalized VHD that you have previously created. To specify a user 
image, you must specify the osType property (Windows or Linux), and the URL to the VHD 
itself, and the URL to where the disk will be created in Azure Storage (osDiskVhdName). The 
following alternative code snippet demonstrates this. (This sample does not build on the 
previous example.) 


"storageProfile": { 


"osDisk": { 
"name": "[concat(variables('vmName'), '-osDisk')]", 
"osType": "[parameters('osType')]", 
"caching": "ReadWrite", 
"image": { 
"uri": "[parameters('vhdUr1')]" 
Js 
"vhd": { 
"uri": "[variables('osDiskVhdName')]" 
}, 
"createOption": "FromImage" 


For context, the following vhdurl parameter and osDiskVhdName variable is shown: 


"vhdUrl": { 

"type": "string", 

"metadata": { 
"description": "VHD Url..." 
} 

} 
"osDiskVhdName": "[concat('http://',parameters('userStorageAccountName'), 
'. blob.core.windows.net/',parameters('userStorageContainerName'),'/', 
parameters('vmName'),'osDisk.vhd')]" 


See the following for a complete template example: https://docs.microsoft.com/mt-mt/ 
azure/marketplace/partner-center-portal/azure-vm-image-certification 


Deploy from a template 


You can deploy templates using the Azure portal, the command line tools, or directly using 
the REST API. Let's start with deploying a template that creates a virtual machine using the 
Azure portal. To deploy a template from the Azure portal, click the Create Resource button 
and search for template deployment, select the template deployment name from the search 
results, and then click Create, as shown in Figure 3-1. 


From there, you have the option to build your own template using the Azure portal’s editor 
(you can paste your own template in or upload from a file using this option, too) or choose 


from one of the most common templates. Last of all, you can search the existing samples in the 
Quickstart samples repository in GitHub and choose one of them as a starting point. Figure 3-2 


shows the various options after clicking the template deployment search result. 
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Home > New > Marketplace > Template deployment (deploy using custom templates) 


Template deployment (deploy using custom templates) 


Merosot 


Template deployment (deploy using custom templates) © ssve tor ister 
Microsoft 


Overview Plans 


Applications running in Microsoft Azure usually rely on a combination of resources, like databases, servers, and web apps, Azure Resource Manager templates enable you to 
deploy and manage these resources as a group, using a JSON description of the resources and their deployment settings. 


Edit your template with IntelliSense and deploy it to a new or existing resource group. 
Useful Links 


Documentation 


FIGURE 3-1 The Template Deployment option 


Custom deployment 


Deploy from a custom template 


Learn about template deployment 
w Read the docs? 


Build your own template in the editor 


Common templates 
EA Create a Linux virtual machine 
HA create a Windows virtual machine 
@ Create a web app 


ð Create a SQL database 


Load a GitHub quickstart template 


Select a template (disclaimer) © 


| za 


ype to start filtering. i 


100-blank-template 


100-marketplace-sample 
101-1vm-2nics-2subnets-1vnet 
101-AAD-DomainServices 
101-DDoS-Attack-Prevention 
101-Linux-Java-ZuluOpenJDK 
101-SQL-Injection-Attack-Prevention 


101-Telegraf-InfluxDB-Grafana 


101-VM-Virus-Attack-Prevention 


FIGURE 3-2 Options for configuring a template deployment 
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Clicking the Build Your Own Template In The Editor option allows you to paste in tem- 
plate code directly. This allows you to author and then deploy templates using the Azure portal 
for simple testing. In Figure 3-3, you can see the Edit Template window. 


Edit template 
+ Add resource T Quickstart template 7 Load file 1 Download 
V W Parameters (6) t € 
2 “$schema™: “https: //schema.managenent. azure. com/schemas/2019-04-01/deploynentTemplate. json", 
È vmlist (string) w wanna = 
3 ‘contentVersion™: "1.0.0.0", 
Ht location (string) a “parameters”: { 
T domaindoinUserName {string} 5 “valist™: { 
domainJoinUserPassword $ ctype t oe a 
(securestring) ? ‘minLength": 1, 
8 “metadata”: { 
F domainFQON (tring) 9 “description”: "List of virtual machines to be domain joined” 
WF ouPath (string) 10 
w = Variables (2) a 
12 
domainioinOptions 13 A 
vmlistArray 14 
15 “description”: "Location name of the virtual machine” 
V8 Resources (1) 
16 b 
[concatitrim(variables{vmListArray 17 "defaultValue": "[resourceGroup().location]" 
= [copyindexi)]), /joindomain')] 18 + 
(Microsoft Compute/virtualMachin 19 “domainJoinUserName": { 
20 "type": “string”, 
21 "metadata": { 
22 "description": "User name of a domain user with rights to perfon domain join operation” 
23 } 
24 b 
25 “domainJoinUserPassword": { 
26 "type": “securestring", 
27 “metadata”: { 
28 "description": "Domain user password" 
29 } 
38 b 
31 "domainFQDN": { 
32 “type”: “string”, 
33 “metadata”: { 
34 “description”: “Domain FQON where the virtual machine will be joined” 
35 } 
36 ts 


FIGURE 3-3 Editing a template using the Azure portal editor 


MOREINFO ARM TEMPLATE VALIDATION 


While creating the ARM template using the Azure portal editor, the template validation is 
performed by default. Parameters, variables, and resources will not populate if there are any 
template errors, and red indicators in the right margin will call out any errors. 


Clicking Save on the previous screen takes you to the page shown in Figure 3-4 where you 
can specify the resource group and any parameters needed to deploy the template. 


MOREINFO ARM TEMPLATE UI 


While creating the ARM template using the Azure portal editor, the settings shown in 
Figure 3-4, including parameter sets and values, come from the ARM template itself. Based 
on what you define in your template, the screen will be updated accordingly. 
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Custom deployment 


Deploy from a custom template 


TEMPLATE 

HAH Customized template P L w 

= 1 resource Edit template Edit paramet... Learn more 
BASICS 
Subscription * | Visual Studio Ultimate with MSDN wr | 
Resource group * 

Create new 

Location (Canada) Canada East 
SETTINGS 
vm ust* © 
Location © [resourceGroup().location] 
Domain Join User Name * © 
Domain Join User Password * © seeeeeeeeneees 


Domain FADN = © 
Ou Path © OU=MyComputers,OC=examref,DC=test 


TERMS AND CONDITIONS 


Azure Marketplace Terms Azure Marketplace 


By clicking “Purchase,” | (a) agree to the applicable legal terms associated with the offering; (b) authorize Microsoftto ~~ 
charge or bill my current payment method for the fees associated the offering(s), including applicable taxes, with the 

same billing frequency as my Azure subscription, until | discontinue use of the offering(s); and (c) agree that, if the 
deployment involves 3rd party offerings, Microsoft may share my contact information and other details of such 
deployment with the publisher of that offering. ~ 


| agree to the terms and conditions stated above 


FIGURE 3-4 The template editor view 


The Edit Parameters button allows you to edit a JSON view of the parameters for the tem- 
plate, as shown in Figure 3-5. This file can also be downloaded and is used to provide different 
behaviors for the template at deployment time without modifying the entire template. 
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Common examples of using a parameters file: 


= Defining different instance sizes or SKUs for resources based on the intended usage 
(small instances for test environments for example) 


m Defining different number of instances 
m Different regions 
= Different credentials 


It is recommended that you use the securestring type for the parameters while passing the 
confidential data, such as passwords and secrets. 


Edit parameters 

F Loadfile + Download 
1 É 
2 "$schema": "https: //schema.management.azure.com/schemas/2015-61-01/deploymentParameters.json#", 
3 “contentVersion": "1.0.0.0", 
4 "parameters": { 
5 “vmList": { 
6 "value": "VM1, VM2, VM3" 
7 }, 
8 "location": { 
9 "value": "[resourceGroup().location]" 
18 h 
11 “domainJoinUserName”: { 
12 "value": “domainuser” 
13 }, 
14 “domainJoinUserPassword": { 
15 "value": "domain@pass1234" 
16 h 
17 “domainFQDN": { 
18 "value": “examref.test” 
19 }, 
28 “ouPath": { 
21 “value”: "OU=MyComputers,DC=examref,DC=test" 
22 } 
23 } 
24 } 


FIGURE 3-5 Editing template parameters using the Azure portal 


MOREINFO ARM TEMPLATE BEST PRACTICES 


The recommended practices while working with ARM templates can be found at https://docs. 
microsoft.com/azure/azure-resource-manager/templates/template-best-practices. 


The last step to creating a template using the Azure portal is to click the Purchase button 
after reviewing and agreeing to the terms and conditions on the screen. Clicking the Purchase 
button will trigger the deployment. 


The Azure command line tools can also deploy resources using templates. The template 
files can be located locally on your file system or accessed via HTTP/HTTPs. Common deploy- 
ment models have the templates deployed into a source code repository or an Azure storage 
account to make it easy for others to deploy the template. 
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()) Exam Tip 
The parameters to a template can be passed to the New-AzResourceGroupDeployment cmdlet 
using the TemplateParameterObject parameter for values that are defined directly in the 
script as . json. The TemplateParameterFi le parameter can be used for values stored ina 
local . json file. The TemplateParameterUri parameter for values that are stored ina . json file 
at an HTTP endpoint. 


(>) Exam Tip 
a The parameters to a template can be passed to the az group deployment create command 
using the parameters section for values that are defined directly in the script as . json. The 
template-file parameter can be used for values stored in a local . json file. The template-uri 
parameter can be used for values that are stored ina . json file at an HTTP endpoint. 


Save a deployment as an Azure Resource Manager template 


An existing deployment can be exported as a template that you can use to regenerate the 
environment or to just gain a better understanding of how the deployment is configured. 
There are two ways of exporting a template from a deployment within a resource group. 


The first way is to export the actual template used for the deployment. This method 
exports the template exactly as it was used, including the values for parameters and variables 
during the original execution. This approach does not capture any changes made to the 
deployment after it was deployed. To export this template, navigate to the resource group 
in the Azure portal and click Deployments, select the deployment to export, and click View 
Template on the top navigation. Figure 3-6 depicts a deployment selected inside a Resource 
Group. 


Home > ExamRefRg 


a 
(== P 


ExamRefRg | Deployments 


earch (Ciri+ C) Refresh F Redeploy [Ñ] Delete $ View template 


Deployment name Status 

z] oft VirnaalMetwork-20200914223329 @ Succeeded 

Sh ees is acaba @ succeeded O, 11:41:21 PM 

[7]  CresteVm-MicrosottWindowsServer WindowsServer @ succeeded D 1171903 PM 
Settings 
@ Quickstart _— “ 
T Deployments 
D Policies 


Export template 


$E Properties 


A) Locks 


FIGURE 3-6 The deployments view of an Azure Resource Group in the Azure portal 
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Clicking the View Template link opens in the Template deployment view, as shown in 
Figure 3-7. From here, you can click Download to download the template locally, you can click 
Deploy to re-deploy the template using different parameters, or you can click Add To Library 
to save to your template gallery for later deployment. 


Home > Resource groups > examref| Deployments > Template 


Template 


L Downloed EA Add to library (previen! (1) Deploy 


@ Automse deploying resources with Azure Resource Manager templates ins snae coordinated operstion Define resources and configurable input parameters and deploy with serpt or code Learn more shout template de 


E houde parameters 


Template Parameters Scripts 


~~ @ Parameters (5) ES 

2 “Sschema™: “https 
3 “contentVersion” 
Č adminUzername (string) 4 


schemas /2019-@4-@2/deploynent Template. jsone", 


W virtualMachineSae (string) 


{@ adminPassword {securestring) 
{Ë storageAccountType (string! 
Út iocation string) 4 


WT Variables (12) rtual machine size (has to be at least the size of Standard_A3 to support 2 NICs 


virtualMachineN 
firtual ineName a } 


12 "adminusernane”: { 


nic? a “type*: "String", 


virtuaiNetworkName 
subnet Name 16 
subnet2hame 

publciPAddiessName 
subnett Ref 2e 


subera Rat 


diagStoragedccountName a } 
natworkSecurityGroupName 24 “storagedccountType": { 
2 “defaultValue” 


networkSecurityGroupName2 
26 *allowedvalues 


we Resources (5) 


[variables VirtusIMachineNaene 
(Microsoft. Compute/virtualMac 


3e “type”: “String”, 


w= [variables diagStorageAccountl 
"metadata": { 


= Microsoft Storage/'storageAccc 


FIGURE 3-7 The deployments view of an Azure resource group in the Azure portal 


The second approach to generating an ARM template is to use the Automation Script menu 
option for the resource group. It generates a template that represents the current state of the 
resource group. The state might have been updated by multiple templates, or it might have 
updated by changes from the Azure portal or changes via the REST API or command line. It 
might include many hard-coded values and probably not as many parameters as you would 
expect in a template that was designed for reusability. This template is useful for redeploy- 
ing to the same resource group because of the hard-coded values. Using it for other resource 
groups may require a significant amount of editing. You can access this template by navigating 
to the resource group and clicking the Automation Script link on the left pane. 


Deploy virtual machine extensions 


Azure virtual machines have a variety of built-in extensions that can enable configuration 
management as well as a variety of other operations such as installing software agents and 
even enabling remote debugging for live troubleshooting purposes. The two most common 
extensions for configuration management are the Windows PowerShell Desired State Con- 
figuration (DSC) extension and the more generic Custom Script Extension. Both extensions 
can be executed at provisioning time or after the virtual machine has already been started. 
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The Windows PowerShell DSC Extension allows you to define the state of a virtual machine 
using the PowerShell Desired State Configuration language and apply it as well as perform 
continuous updates when integrated with the Azure Automation DSC service. The custom 
script extension can be used to execute an arbitrary command such as a batch file, regular 
PowerShell script, or a bash script. In addition to these extensions there are also more specific 
extensions that allow you to configure your virtual machines to use open-source configuration 
management utilities such as Chef or Puppet and many others. 


While creating VMs, you can add an extension using Advanced blade, which is shown in 
Figure 3-8. This blade allows the user creating the virtual machine to install an extension, such 
as the custom script extension or one of many others. 


Home > examrefRG New Create a virtual machine 


Create a virtual machine 


Basics Disks Networking Management Advanced Tags Review + create 
Add additional configuration, agents, scripts or applications via virtual machine extensions or cloud-init. 


Extensions 


Extensions provide post-deployment configuration and automation. 


Extensions © Select an extension to install 


Cloud init 


Cloud init is a widely used approach to customize a Linux VM as it boots for the first time. You can use cloud-init to install 
packages and write files or to configure users and security. Learn more 


o The selected image does not support cloud init. 


FIGURE 3-8 The Advanced blade in the Azure portal 


Figure 3-9 depicts the custom script extensions that appear when you click the Select An 
Extension To Install option, as shown previously in Figure 3-8. 


Using the custom script extension 


The Azure custom script extension is supported on Windows and Linux-based virtual machines 
and is ideal for bootstrapping a virtual machine to an initial configuration. To use the Azure 
custom script extension, your script must be accessible via a URI, such as an Azure storage 
account, and must either accessed anonymously or passed with a shared access signature (SAS 
URL). The custom script extension takes as parameters the URI and the command to execute 
including any parameters to pass to the script. You can execute the script at any time the virtual 
machine is running. 
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New resource OX 


KA Agent for Cloud Workload = 


Protection (Windows) 
Symantec Corp. 


Agent for Windows Server 


Monitoring 
Site24x7 


APM Insight .NET Agent 
Site24x7 


SentinelOne Windows Extension 
SentinelOne 


Rapid? Insight Agent 
Rapid? Inc 


Puppet Agent 
Puppet 


Octopus Deploy Tentacle Agent 
Octopus Deploy Pty. Ltd. 


Azure Pipelines Agent 
Microsoft Corp. 


NVIDIA GPU Driver Extension 
Microsoft Corp 


Network Watcher Agent for 


Windows 
Microsoft Corp. 


PowerShell Desired State 


Confiquration 
Microsoft Corp. 


HHLA yee e 


Custom Script Extension 


FIGURE 3-9 The select a custom script extension menu 


To add the Custom Script Extension to an existing virtual machine, open the virtual machine 
in the Azure portal, click the Extensions link on the left, and choose the Custom Script 
Extension option. The script file is specified as well as any arguments passed to the script. 
Figure 3-10 shows how to enable this extension using the Azure portal. 


Q ) EXAM TIP 
2 


There are many other ways of configuring and executing the Custom Script Extension using 
the Azure CLI. The following article has several relevant examples that might be used in 

an exam, which you can find at https://docs.microsoft.com/en-in/azure/virtual-machines/ 
extensions/custom-script-linux. 
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Install extension O x 


Script file (Required) * © 
| "deploy-AD.ps1" s 


Arguments (Optional) © 


FIGURE 3-10 Specifying the Custom Script Extension configuration 


MOREINFO TROUBLESHOOTING USING VIRTUAL MACHINE EXTENSION LOGS 


In the event your Custom Script Extension fails to execute, it's a good idea to review the log 
files. In Windows, the logs are located at C:\WindowsAzure\Logs\Plugins\Microsoft.Compute. 
CustomScriptExtension. In Linux, the command output is located at /var/lib/waagent/Microsoft. 
OSTCExtensions.CustomScriptForLinux-<version>/download/1. 


Skill 3.2: Configure VMs for high availability 
and scalability 


Microsoft Azure virtual machines are a flexible and powerful option for deploying workloads 
into the cloud. The support of both Windows and Linux-based operating systems allows for the 
deployment of a wide variety of workloads that traditionally run in an on-premises environ- 
ment. This section will cover how to configure high availability for Azure VMs. It also covers 
how to deploy and configure virtual machine scale sets using various tools. 


This section covers how to: 
m Configure high availability 


m Deploy and configure scale sets 


Configure high availability 

Resiliency is a critical part of any application architecture. Azure provides several features and 
capabilities to make it easier to design resilient solutions. The platform helps you to avoid a 
single point of failure at the physical hardware level and provides techniques to avoid down- 
time during host updates. Using features such as availability zones, availability sets, and load 
balancers provides you the capabilities to build highly resilient and available systems. 
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Availability zones 


Availability Zones are separate units—each with its own power, cooling, and networking— 
which provide higher resiliency and protect applications and data from disruption in the data 
centers. To ensure resiliency, there is a minimum of three separate zones in all enabled regions. 
The physical and logical separation of availability zones within a region protects applications 
and data from zone-level failures. Availability zones provide a 99.99 percent SLA uptime when 
two or more VMs are deployed into two or more availability zones. Figure 3-11 demonstrates 
how a three-tier application can be deployed with a virtual machine from each tier deployed in 
each of the three zones for increased availability. 


When you create VMs in three Availability Zones, those will be automatically distributed 
across three fault domains and three update domains. A fault domain represents a group of 
servers, which have shared power, cooling, and networking. An update domain represents a 
group of servers that can be rebooted at the same time. 


Azure Region 


Web Tier Web Tier 


Data Tier Data Tier 


FIGURE 3-11 Architectural view of an availability zone 


To deploy a VM to an availability zone, select the zone you want to use on the Basics blade 
of the virtual machine creation dialog, as shown in Figure 3-12. 


MOREINFO AVAILABILITY ZONES AND AZURE REGION 


If you are unable to set an availability zone, it is most likely because you have selected a region 
where availability zones are not available. 
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Home > New > Create a virtual machine 


Create a virtual machine 


Basics Disks Networking Management Advanced Tags Review + create 


Create a virtual machine that runs Linux or Windows. Select an image from Azure marketplace or use your own customized 
image. Complete the Basics tab then Review + create to provision a virtual machine with default parameters or review each tab 
for full customization. Learn more c^ 


Project details 


Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all 
your resources. 


Subscription * © 


Vv 
— | 


Create new 


Instance details 


Virtual machine name * © ExamRefHA-VM ow 


Region* © [ (US) East US v] 
1 

Image* © 
2 

haure Spot instance © 


Size * © Standard DS1 v2 


FIGURE 3-12 Specifying the availability zone for a VM 


At the time of this writing the following services are supported with availability zones 
(see: https://docs.microsoft.com/en-us/azure/availability-zones/az-region#services-support- 
by-region for the complete list): 


m Linux Virtual Machines 

= Windows Virtual Machines 

m Virtual Machine Scale Sets 

m Azure App Service Environments 
m Azure Kubernetes Service 

m Managed Disks 

m Azure Firewall Load Balancer 

m Public IP address 


m Zone-redundant storage 
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m SQL Database 

m Event Hubs 

m Service Bus 

m VPN Gateway 

m ExpressRoute 

m Application Gateway 
Currently supported regions: 
= Central US 

m East US 

m East US 2 

m West US 2 

m France Central 

= North Europe 

m UK South 

m West Europe 

m Japan East 


Southeast AsiaAzure services supported by availability zones are divided into two cat- 
egories: zonal services and zone-redundant services. Zonal services are the services where 
the availability zone is assigned explicitly, such as when a virtual machine needs to be placed 
in the availability zone at the time of creation. Zone-redundant services are replicated by 
the Azure portal itself. For example, zone-redundant storage account which gets replicated 
automatically. 


Availability sets 


Deploying a multitier application into an availability set can provide redundancy and high 
availability to the virtual machines. .To provide redundancy for your virtual machines, you 
must place at least two virtual machines in an availability set. This configuration ensures that 
at least one virtual machine is available in the event of a host update, or a problem with the 
physical hardware the virtual machines are hosted on. Having at least two virtual machines in 
an availability set is a requirement for the service level agreement (SLA) for virtual machines of 
99.95 percent. 

You can place a single instance virtual machine in an availability set, too, but doing so 
provides comparatively lower SLAs. A Premium SSD provides an SLA of 99.9 percent, while 
Standard SSD and Standard HDD provide SLAs of 99.5 percent and 95 percent, respectively. 

Virtual machines should be deployed into availability sets according to their workload or 
application tier. For instance, if you are deploying a three-tier solution that consists of web 
servers, a middle tier, and a database tier, each tier would have its own availability set, 
as Figure 3-13 demonstrates. 
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Web Tier Middle Tier Data Tier 
WebAVSet MidAVSet DataAVSet 


FIGURE 3-13 Availability set configurations for a multi-tier solution 


Availability sets can be configured by assigning a fault domain and an update domain. Fault 
domain represents a group of servers that have shared power, cooling, and networking, while 
an update domain represents a group of servers that can be rebooted at the same time. Each 
availability set can have up to 20 update domains and 3 fault domains. This reduces the impact 
to VMs from physical hardware failures, such as server, network, or power interruptions on 
one of the physical racks. It is important to understand that the availability set must be set at 
creation time of the virtual machine. 


Create an availability set 


To create an availability set, specify a name for the availability set that is not in use by any 
other availability sets within the resource group, along with the number of fault and updates 
domains, as well as whether you will use managed disks with the availability set or not. In order 
to create the availability set at the time of virtual machine creation, please go to homepage, 
then click + Create A Resource, and then search for virtual machine and click Create. You 
will be presented with the Basics blade, as shown in Figure 3-14. On the Create New pane, you 
can create a new availability set. You can select the number of Fault Domains and Update 
Domains. 


You can also create availability set by clicking + Create A Resource, searching for avail- 
ability set, and clicking Create. The Basics blade appears, where you can select subscription, 
resource group, and region, and you can specify the availability set name, fault domain, and 
update domain. On the Advanced blade, you have an option to select proximity placement 
group if it's already created. Click the Review + Create button at the bottom to create avail- 
ability set. Now you can place resources such as VMs in this newly created availability set by 
selecting it at the time of resource creation. 
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FIGURE 3-14 Creating an availability set 


MOREINFO PROXIMITY PLACEMENT GROUP 


A proximity placement group is a logical grouping of VMs to reduce the latency by keeping 
them closer to each other. If the VMs are placed in the same proximity placement group, they 
will be physically located closer to each other. 


Availability sets and managed disks 


Availability sets and managed disks complement each other. When the VM uses managed 
disks and is placed in an availability set (known as an aligned availability set), it ensures that the 
VM disks are placed in different storage fault domains as shown in Figure 3-15. This alignment 
ensures that all the managed disks attached to a VM are within the same managed disk fault 
domain. The number of fault domains for an availability set depends on the region it belongs 
to, with either two or three fault domains per region. 


MORE INFO UNDERSTANDING AVAILABILITY IN AZURE VMs 


You can learn more about update and fault domains and how to manage availability of 
your Azure VMs at https://docs.microsoft.com/azure/virtual-machines/windows/ 
manage-availability. 
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Unmanaged Disks and Unaligned Availability Set Managed Disks and Aligned Availability Set 


Web Tier Middle Tier Data Tier Web Tier Middle Tier Data Tier 
WebAVSet WebAVSet WebAVSet WebAVSet WebAVSet WebAVSet 


VM VM VM VM VM VM 
VM VM VM VM VM VM 


Fault Domain 0 Fault Domain 1 Fault Domain 2 Fault Domain 0 Fault Domain 1 Fault Domain 2 


Storage Cluster Storage Cluster O Storage Cluster 1 Storage Cluster 2 
Fault DomainO Fault Domain1 Fault Domain 2 


FIGURE 3-15 Aligning managed disks with an availability set 


Deploy and configure scale sets 


A VMSS is a compute resource that you can use to deploy and manage a set of identical virtual 
machines. 


By default, a VMSS supports up to 100 instances. However, it is possible to create a scale 
set up to 1,000 instances by placing instances into multiple placement groups. A placement 
group is a construct, such as an Azure availability set, with its own fault domains and upgrade 
domains. If you define an instance count that is higher than 100 in the Azure portal when the 
scale set is created, the Azure portal will automatically enable the scale set for multiple place- 
ment groups. By default, a scale set consists of a single placement group with a maximum 
size of 100 VMs. If the scale set property called singlePlacementGroup is set to false or if you 
define an instance count higher than 100 in the Azure portal, the scale set can be composed of 
multiple placement groups and has a range of 0-1,000 VMs. 


Using multiple placement groups is commonly referred to as a “large scale set.” The 
singlePlacementGroup property can be set using ARM templates or the command-line tools. 
Working with large scale sets does have a few conditions to be aware of: 


m Ifyou are using a custom image (not a default available image from marketplace), your 
scale set supports up to 600 instances instead of 1,000. 


m The basic SKU of the Azure Load Balancer can scale up to 300 instances. 


= Fora large-scale set (> 100 instances), you should use the Standard SKU (supports up to 
1,000 instances) or the Azure Application Gateway. 
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Creating a virtual machine scale set (Azure portal) 


Figure 3-16 shows a portion of the creation dialog for creating a new VM scale set using the Azure 
portal. Like other Azure resources, you must specify a name and the resource group to deploy to. 
All instances of the VMSS will use the same operating system disk image specified here. 


Home > Virtual machine scale sets > Create a virtual machine scale set 


Create a virtual machine scale set 


Basics Disks Networking Scaling Management Health Advanced Tags Review + create 


Azure virtual machine scale sets let you create and manage a group of load balanced VMs. The number of VM instances can 
automatically increase or decrease in response to demand or a defined schedule. Scale sets provide high availability to your 
applications, and allow you to centrally manage, configure, and update a large number of VMs, 

Learn more about virtual machine scale sets 


Project details 


Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all 
your resources, 


Subscription * v | 
Resource group * examrefRG v 
Create new 


Scale set details 
Virtual machine scale set name * ExamRefVMSS v 


Region * (US) East US v 
Availability zone © Zones 1, 2, 3 Vv 


Instance details 


Image * © Windows Server 2019 Datacenter 


Browse all public and private images 


Azure Spot instance © © Yes @) No 


Size* © | Standard D2s v3 


FIGURE 3-16 Creating a VM scale set 


« >) EXAM TIP 
SJ, 


A scale set can be deployed to an availability zone to provide higher redundancy and 
resiliency. If the scale set is created with a single availability zone, then all the instances 
will be deployed within a single zone. If the scale set is deployed in multiple availability 
zones (known as a zone-redundant scale set), based on scaling rules, the instances can be 
deployed to multiple zones if needed. 


Figure 3-17 shows further down the blade. This allows you to configure networking options, 
such as the virtual network and subnet to use, as well as which type of load balancer to use. 
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Home > Virtual machine scale sets > Create a virtual machine scale set 


Create a virtual machine scale set 


Azure Virtual Network (VNet) enables many types of Azure resources to securely communicate with each other, the internet, 
and on-premises networks. Learn more about VNets 


Virtual network * © (New) examrefRG-vnet (recommended) Vv 
Create virtual network 


Network interface 


A network interface enables an Azure virtual machine to communicate with internet, Azure, and on-premises resources. A VM 
can have one or more network interfaces. 


+ Createnewnic [li] Delete 

(name CREATE PUBLI SUBNET NETWORK SECURI ACCELERATED N. 

[C] examrefRG-vnet-nico1 No default (10.0.1.0/24) Basic off A 
Load balancing 


You can place this virtual machine scale set in the backend pool of an existing Azure load balancing solution. Learn more 


Use a load balancer © Yes O No 


Load balancing settings 


e Application Gateway is an HTTP/HTTPS web traffic load balancer with URL-based routing, SSL termination, session 
persistence, and web application firewall. Learn more about Application Gateway 

© Azure Load Balancer supports all TCP/UDP network traffic, port-forwarding, and outbound flows. Learn more about 
Azure Load Balancer 


Load balancing options * © | Azure load balancer Vv | 

Select a load balancer * © | (new) ExamRefVMSS-Ib Vv 
Create new 

Select a backend pool * © | (new) bepool v 
Create new 


FIGURE 3-17 Configuring the network and the load balancer for a VM scale set 


On next screen, you can configure the Scaling Policy as Manual or Custom. When you 
set the Scaling Policy to Custom, you see the configuration options for setting the default 
rules, as shown in Figure 3-18. Here, you can specify the minimum and maximum number 
of VMs in the set, and you can set the actions to scale out (add more) or to scale in (remove 
instances). 


During the lifecycle of running a virtual machine scale set you may need to upgrade the 
instances with the latest scale set model. The VMSS resource property upgrade policy deter- 
mines how VMs will be upgraded once a new update is available. Three options are available: 
Automatic, Rolling, and Manual (see Figure 3-19). If you set this to Automatic, all instances 
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are updated in the random order when an update is available, which can cause downtime. If 
you set this to Rolling, the scale set updates VMs in multiple batches, and you can set a pause 
time between two batches, which can avoid total downtime. If the property is set to Manual, it 
is up to you to programmatically step through and update each instance using PowerShell with 
the Update-AzVmssInstance cmdlet or the Azure CLI az vmss update-instances Command. 


Home > New > Virtual machine scale set 
Create a virtual machine scale set 
Basics Disks Networking Scaling Management Health Advanced Tags Review + create 
An Azure virtual machine scale set can automatically increase or decrease the number of VM instances that run your 
application. This automated and elastic behavior reduces the management overhead to monitor and optimize the performance 
of your application. Learn more about VMSS scaling 
Instance 
Initial instance count * © 100 v 
Scaling 
Scaling policy © © Manual (@) Custom 
Minimum number of VMs * © 1 
Maximum number of VMs * © 10 
Scale out 
CPU threshold (%) * © 75 
Duration in minutes * © 10 
Number of VMs to increase by * © 1 
Scale in 
CPU threshold (%) * © i 25 
Number of VMs to decrease by * © |1 
<Previous || Next:Management> | 


FIGURE 3-18 Configuring scaling rules for a virtual machine scale set 


MOREINFO UPGRADING A VIRTUAL MACHINE SCALE SET 


You can learn more about upgrading virtual machine scale sets at https://docs.microsoft.com/ 
azure/virtual-machine-scale-sets/virtual-machine-scale-sets-upgrade-scale-set. 
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Home > Virtual machine scale sets > Create a virtual machine scale set 


Create a virtual machine scale set 


Basics Disks Networking Scaling Management Health Advanced Tags Review + create 
Configure monitoring and management options for your virtual machine scale set instances. 


Azure Security Center 


Enable basic plan for free © @ on © off 
This will apply to every VMSS in the selected subscription 


Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads, 
Learn more 


Upgrade policy 


Upgrade mode * © | Manual - Existing instances must be manually upgraded A^ 


Automatic — Instances will start upgrading immediately in random order 


Monitoring 
Manual - Existing instances must be manually upgraded 


Boot diagnostics © 


Rolling - Upgrades roll out in batches with optional pause 


Diagnostics storage account * © M 


Create new 


Identity 


System assigned managed identity © O On © Off 


Automatic OS upgrades 


Automatic OS upgrades © © on © off 


Instance termination 


Instance termination notification © O On © Off 


| < Previous | | Next : Health > 


FIGURE 3-19 Configuring Management rules for a virtual machine scale set 


You can also add a layer of health monitoring to your application when you create VMSS. 
Health monitoring is required when you plan to use managed infrastructure and automatic 
OS upgrades. On the Health tab, you can enable application health monitoring and config- 
ure options by choosing the extension, protocol, port, and application endpoint path (see 
Figure 3-20). 


158 CHAPTER3 Deploy and manage Azure compute resources 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Home > Virtual machine scale sets > Create a virtual machine scale set 


Create a virtual machine scale set 


Basics Disks Networking Scaling Management Health Advanced Tags Review + create 


You can configure health monitoring on an application endpoint to update the status of the application on that instance. This 
instance status is required to enable platform managed upgrades like automatic OS updates and virtual machine instance 
upgrades, Learn more about application health monitoring 


Health 

Monitor application health © Disabled 

Application health monitor * © Application health extension Vv 
Protocol * © HTTP v 
Port number * © 80 

Path* © / 


Ci) The Application Health extension will probe the application health endpoint and update the status of the application. When 
the health endpoint is not set up correctly the status of the application will be reported as unhealthy. Learn more 3 


Automatic repair policy 


Before enabling the automatic repairs policy, review the requirements for opting in here 
Automatic repairs © O On © Off 


Grace period (min) © 30 


| < Previous || Next : Advanced > 


FIGURE 3-20 Configuring Health monitoring for a virtual machine scale set 


Some advanced options, such as Allocation Policy, include a spreading algorithm. Also, 
you can select among options such as Proximity Placement Group and VM Generation (see 
Figure 3-21). 
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Home > Virtual machine scale sets > Create a virtual machine scale set 


Create a virtual machine scale set 


Basics Disks Networking Scaling Management Health Advanced Tags Review + create 


Add additional configuration, agents, scripts or applications via virtual machine extensions or cloud-init. 


Allocation policy 


Enable scaling beyond 100 instances © NO 
Force strictly even balance across zones @® No O Yes 


Spreading algorithm © O Max spreading @ Fixed spreading (not recommended with zones) 


Cloud init 


Cloud init is a widely used approach to customize a Linux VM as it boots for the first time. You can use cloud-init to install 
packages and write files or to configure users and security. Learn more 


o The selected image does not support cloud init. 


Proximity placement group 


Proximity placement groups allow you to group Azure resources physically closer together in the same region. Learn more 


Proximity placement group © No proximity placement groups found Vv 


VM generation 


Generation 2 VMs support features such as UEFI-based boot architecture, increased memory and OS disk size limits, Intel® 
Software Guard Extensions (SGX), and virtual persistent memory (vPMEM). 


VM generation © @ Geni © Gen2 


(i) Generation 2 VMs do not yet support some Azure platform features, including Azure Disk Encryption. 


FIGURE 3-21 Configuring Advanced rules for a virtual machine scale set 


|] EXAM TIP 
Q) 


The spreading algorithm decides how scale set instances will be placed in a fault domain. 
With max spreading, the instances are distributed in the maximum fault domains possible 
for each zone. Fixed spreading restricts instances to exactly five fault domains. If a scale set 
is using a fixed spreading algorithm and if there are less than five fault domains available, 
the deployment will fail. 


160 CHAPTER3 Deploy and manage Azure compute resources 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


The Azure portal creation process does not directly support applying additional configura- 
tion management options, such as VM extensions. However, they can be applied to a VMSS 
later using the command line tools or an ARM template. 


MOREINFO VIRTUAL MACHINE SCALE SETS 


You can learn more about virtual machine scale sets here: https://docs.microsoft.com/azure/ 
virtual-machine-scale-sets/. 


Skill 3.3: Configure VMs 


There are multiple ways to create and configure virtual machines, depending on your intended 
use. The easiest way to create an individual virtual machine is to use the Azure portal. If you 
have a need for automated provisioning (or you just enjoy the command line), the Azure 
PowerShell cmdlets and the Azure cross-platform command line interface (CLI) are a good fit. 
For more advanced automation—even including orchestration of multiple virtual machines— 
Azure Resource Manager templates can also be used. Each method brings its own capabilities 
and tradeoffs, and it is important to understand which tool should be used in the right sce- 
nario. In this section, we will cover various aspects and features to efficiently manage VMs and 
supporting resources in an Azure environment. 


This section covers how to: 
m Configure Azure Disk Encryption 
= Move VMs from one resource group to another 
= Manage VM sizes 
m Add data discs 
= Configure networking 


m Redeploy VMs 


Configure Azure Disk Encryption 

Encrypting Azure VM disk was always a difficult task, and you had to rely on the Azure AD app 
to perform the work. Now you have a straightforward way to encrypt your Azure VM disks 
using integration with Azure Key Vault. In this section, you will learn how to manage Azure Disk 
Encryption with few scenarios using Azure portal. Please note these steps can be performed 
using PowerShell or Azure CLI. 
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MOREINFO CHARGES FOR AZURE DISK ENCRYPTION 


There is no charge for encrypting VM disks with Azure Disk Encryption, but there are charges 
associated with the use of Azure Key Vault. Key Vault pricing can be accessed at https://azure. 
microsoft.com/en-in/pricing/details/key-vault/ 


Enable encryption on an existing VM 
Follow these steps to enable encryption on an existing VM: 


1. Browse to the VM resource in Azure portal and under Settings, select Disks (see 
Figure 3-22). 


Home > CreateVim-MicrosoftWindowsServer. WindowsServer-201-202005242322352 | Overview > examrefVM | Disks 


= examrefVM | Disks 


sch (Carte m Ê Edit ©) Refresh Æ Encryption = Swap OS Disk 
T overview 
o Managed disks created since June 10, 2017 are encrypted at rest with Storage Service Encryption (SSE). You may also want to enable Azure Disk Encryption. 
E Activity log 
A. Access contro} QAM) @ Ultra Disk compatibility is not available for this location 
Ò Tags 
@ Diagnose and solve problems Disk settings 
Settings 
OS disk 
& Networking 
Name Size Storage account type 
S Connect 
ex 8084f178436047£37 127 GiB Premium SSD 
® Disks 
T sze Data disks 
© Security None 
= 
G? Extensions Add data disk 
G Continuous delivery 


FIGURE 3-22 Disks blade for Azure VM 


2. Now, click Encryption. Under Disks To Encrypt, choose None, OS Disk, or OS And 
Data Disks, as shown in Figure 3-23. 


Home > CreateVm-MicrosoftWindowsServer.WindowsServer-201-20200524232352 | Overview > examrefVM | Disks > Encryption 


E Encryption 


examrefVM 


Azure Disk Encryption (ADE) provides volume encryption for the OS and data disks. Learn more about Azure Disk Encryption 


Disks to encrypt © 


None 


OS and data disks 


FIGURE 3-23 Encryption options for Azure VM disks 
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3. On the next screen, click Select A Key Vault And Key For Encryption (see Figure 3-24). 


Home > CreateVm-MicrosoftWindowsServer.WindowsServer-201-20200524232352 | Overview > examrefVM | Disks > Encryption 


EJ Encryption 


examrefVM 


G s X Discard 
Azure Disk Encryption (ADE) provides volume encryption for the OS and data disks. Learn more about Azure Disk Encryption. 


Disks to encrypt © 


Encryption settings 


Azure Disk Encryption is integrated with Azure Key Vault to help manage encryption keys. As a prerequisite, you need to have 
an existing key vault with encryption permissions set. For additional security, you can create or choose an optional key 
encryption key to protect the secret. 


Select a key vault and key for encryption 


Key vault* © 


None | 


Key © 


None | 


Version © 


None | 


FIGURE 3-24 Encryption options for Azure VM disks 


4. Select Create New to create a new Key Vault to store encryption keys (see 
Figure 3-25). 


Home > CreateVm-MicrosoftWindowsServer, WindowsServer-201-20200524232352 | Overview > examrefVM | Disks > Encryption > Select key from Azure Key Vault 


Select key from Azure Key Vault 


Key vault * hé 
Create new 


FIGURE 3-25 Key Vault to store encryption keys 


5. Create a new Key Vault by providing name along with other options, as shown in 
Figure 3-26. 
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Home > Create\Vm-MicrosoftWindowsServer. WindowsServer-201-20200524232352 | Overview > examrefVM | Disks > Encryption > Select key from Azure Key Vauit > Create key vault 


Create key vault 


Basics Access policy Networking Tags Review + create 


Azure Key Vault is a cloud service used to manage keys, secrets, and certificates. Key Vault eliminates the need for developers to 
store security information in their code. It allows you to centralize the storage of your application secrets which greatly reduces 
the chances that secrets may be leaked, Key Vault also allows you to securely store secrets and keys backed by Hardware 
Security Modules or HSMs, The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated. In 
addition, key vault provides logs of all access and usage attempts of your secrets so you have a complete audit trail for 
compliance. Learn more 


Project detalls 


Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all 
your resources. 


Resource group * examrefRG v 
Create new 

Instance details 
Key vault name * ©) examrefKV v 
Pricing tier* © Standard v 
Soft delete C GD vise ) 
Retention period (days) * © 90 
Purge protection © (Enable CED 


Next : Access policy > 


FIGURE 3-26 Create Key Vault 


6. Onthe Access Policies tab, select Azure Disk Encryption For Volume Encryption 
(see Figure 3-27). 


Home > CresteV¥m-MicrosoftWindowsServer. WindawsServer-201-202 352 | Overview > exarnrefVM | Disks > Encryption > Select key from Azure Key Vault > Create key vault 


Create key vault 


Basics Access policy Networking Tags Review + create 


Enable Access to: 


C Azure virtual Machines for deployment © 


D Azure Resource Manager for template deployment © 


a ‘Azure Disk Encryption for volume encryption © 


FIGURE 3-27 Access policy options while creating Key Vault 


7. Select Review + Create. After the Key Vault has passed validation, select Create. This 
will return you to the Select Key From Azure Key Vault screen. 


8. Click Create New to generate new secret key (see Figure 3-28). 
9. On next screen, verify the details and click Select (see Figure 3-29). You will be 
redirected to Encryption blade with the newly created Key Vault and key, as shown in 
Figure 3-30. 
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Create a key 


Options 


l Generate v | 


Name * © 


Key Type © 


RSA Key Size 
( 2048 072 40% 


Set activation date? © 


Set expiration date? Ol_| 


Enabled? 


FIGURE 3-28 Create A Key 


Select key from Azure Key Vault 


@ The koy ‘oxamrefkey’ has been successfully crested, 


Key vault * exarmrefKy v 
Create new 

Key [amery o ow 
Create new 

Version © 1b766d003ff749519f536f9c2964f94f v 
Create new 


FIGURE 3-29 Select a key 


Home > CreateVm-MicrosoftWindowsServer.WindowsServer-201-20200524232352 | Overview > examrefVM | Disks > Encryption 


aya Encryption 


examrefVM 


Save Pa Discard 


Azure Disk Encryption (ADE) provides volume encryption for the OS and data disks. Learn more about Azure Disk Encryption. 


Disks to encrypt © 
[ OS disk v 
Encryption settings 


Azure Disk Encryption is integrated with Azure Key Vault to help manage encryption keys. As a prerequisite, you need to have 
an existing key vault with encryption permissions set. For additional security, you can create or choose an optional key 
encryption key to protect the secret. 


Select a key vault and key for encryption 


Key vault * © 
| /subscriptions/00b72028-9dce-4729-9b2a-a10e92054447/resourceGroups/examrefRG/providers/Microsoft KeyVault/vaul....“ 


Key © 
| examrefKey 


Version © 
L 1b766d003ff749519f536f9c2964f94f 


FIGURE 3-30 Encryption settings for Azure Disk Encryption 
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10. When you attempt to save your encryption settings, you will be asked to restart your 
VM to make the changes take effect (see Figure 3-31). 


Home CreateVm-MicrosoftWindowsServer.WindowsServer-201-20200524232352 | Overview 


IJ Encryption 


examrefVM | Disks > Encryption 


Save e4 Discard 


Enabling Azure Disk Encryption will cause the VM to reboot 


Do you want to encrypt and restart virtual machine ‘examrefVM'? 


FIGURE 3-31 Save encryption settings 


11. As stated earlier, once your VM is restarted, the selected (OS or data) disks will be 
encrypted with the supplied keys. 


MOREINFO DISK ENCRYPTION FOR WINDOWS AND LINUX VMs 


Windows VMs: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk- 
encryption-overview 


Linux VMs: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption- 
overview 


Create new VM with customer-managed encryption keys 


You can enable encryption with customer-managed keys (known as CMK) while creating a new 
VM. Before creating the VM, you need to create disk encryption set first. 


Follow these steps to create a disk encryption set using Azure portal. 
1. Click Create A Resource on the homepage and choose Disk Encryption Set > Create. 


2. On the next screen, select the Subscription, Resource Group, and Region, and then 
specify the Disk encryption Set Name. 

3. Also, you will need to select a Key Vault and key from the Key Vault And Key drop- 
down menu (if you've already created one), as shown in Figure 3-32. If you have 
not created a Key Vault and key for encryption, create them before creating a disk 
encryption set. 


4. Once your disk encryption set is created, proceed with creating an Azure VM with the 
desired settings. 
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Home > Disk Encryption Sets > Create a disk encryption set 


Create a disk encryption set 


Basics Tags Review + create 


Disk encryption sets allow you to manage encryption keys using server-side encryption for Standard HDD, Standard SSD, and 
Premium SSD managed disks, It will give you control of the encryption keys to meet your security and compliance needs in a 
few clicks. Learn more about disk encryption sets 


Project details 


Select the subscription to manage deployed resources and costs, Use resource groups like folders to organize and manage all 
your resources. 


Subscription * © | Visual Studio Ultimate with MSDN v 
a 
Create new 


Instance details 
Disk encryption set name * examrefDESet v 


Region* © | (Canada) Canada East 7v | 


Key vault and key * Key vault: examrefKV 
Key: examrefKey 
Version: 1b766d003ff749519f536f9c2964f94f 
Click to select a key 


FIGURE 3-32 Create a disk encryption set 


5. On the Disks tab, under Encryption Type, choose Encryption At-Rest With A 
Customer-Managed Key, as shown in Figure 3-33. 


6. Select the Disk Encryption Set created in the step 1. You can apply these settings to 
each of the disks you choose to create. 


7. Click Review + Create to create the VM with disk encryption using a customer- 
managed key. 
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Home > New > Create a virtual machine 


Create a virtual machine 


Basics Disks Networking Management Advanced Tags Review + create 


Azure VMs have one operating system disk and a temporary disk for short-term storage. You can attach additional data disks. 
The size of the VM determines the type of storage you can use and the number of data disks allowed. Learn more 


Disk options 
OS disk type * © Premium SSD v 
Encryption type * Encryption at-rest with a customer-managed key A 


(Default) Encryption at-rest with a platform-managed key 


Encryption at-rest with a customer-managed kı 
J 


Learn more about disk encryption. 


Disk encryption set * © examrefDESet 


Enable Ultra Disk compatibility © 


Ultra Disk compatibility is not available for this VM size and location 


Data disks 


You can add and configure additional data disks for your virtual machine or attach existing disks. This VM also comes with a 
temporary disk. 


LUN Name Size (GiB) Disk type Host caching 
Create and attach a new disk Attach an existing disk 
V Advanced 


| < Previous | | Next ; Networking > | 


FIGURE 3-33 Create a VM by enabling disk encryption using customer-managed keys 


MOREINFO DISK ENCRYPTION WITH CUSTOMER-MANAGED KEYS 


Once a customer-managed key is used, you cannot change the selection back to a platform- 
managed key. 


Enable encryption on a newly added data disk 


When you choose to add a new data disk to an existing VM or anew VM, you can select the 
encryption using a customer-managed key, as shown in Figure 3-34. 
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Home > examrefVM | Disks > Create a managed disk 
Create a managed disk 


Create a new disk to store applications and data on your VM. Disk pricing varies based on factors including disk a 


size, storage type, and number of transactions. 


Disk name* © 


examrefDataDisk 


Resource group * 


| examrefRG Vv 
Create new 


Location 


Canada East 


Availability zone (0) 
None 


Source type © 


None v 


Size * © 
1024 GiB 
Premium SSD 
Change size 


Encryption type * 


Encryption at-rest with a customer-managed key A^ 


(Default) Encryption at-rest with a platform-managed key 


Encryption at-rest with a customer-managed key 


Learn more about disk encryption. 


Disk encryption set* © 


examrefDESet v 


Create 


FIGURE 3-34 Enable disk encryption using customer-managed keys for data disk 


Disable encryption 


When you choose to disable encryption for OS and data disks for an existing VM, you can set 
the Disks To Encrypt option to None, as shown in Figure 3-35. 
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Home > examrefVM | Disks 


EJ Encryption 


examref VM 


Disks to encrypt © 


OS disk 


OS and data disks 


> Encryption 


Azure Disk Encryption (ADE) provides volume encryption for the OS and data disks, Learn more about Azure Disk Encryption 


None ^ 


FIGURE 3-35 Disable disk encryption 


Move VMs from one resource group to another 


Azure provides the ability to move some resources from one subscription to another or from 
resource group to resource group. 


Follow these steps to move a virtual machine using the Azure portal: 


1. Open the VM blade, as shown in Figure 3-36, and click the Change link next to the 
Resource Group label or click the Change button next to the Subscription label. 

Home > examrefVM 

EJ examrefVM 

| D Search (Ctrl+ « Ø Connect C Restart oO Stop B Capture oi Delete © Refresh 

ES fi} Advisor (1 of 2): Enable virtual machine backup to protect your data from corruption and accidental deletion -> 
Activity log Resource group (change) : examrefRG 

Status Running 


Pa. Access control (IAM) 
ys Tags 


a 


Diagnose and solve problems 
Settings 
á Networking 


@ Connect 


ription (change) 
Subscription ID 


er name 


system 


Size 


Tags (change) 


® Disks 


> examrefVM 


Canada East 
Visual Studio Ultimate with MSDN 


00b72026-Sdce-4729-9b2a-a10e92054447 


Windows (Windows Server 2016 Datacenter) 


Standard DS1 v2 (1 vepus, 3.5 GiB memory) 


Click here to add tags 


FIGURE 3-36 The virtual machine blade with the change options visible for Resource Group and 


Subscription 


2. 


Clicking the Change link next to the Resource Group name will bring up the Move 


Resources blade, as shown in Figure 3-37. This blade shows the resources related to the 
virtual machine, such as disks, network security groups, network interfaces, and so on. 
From here, you can select the individual resources to move to the destination resource 


group. 
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3. The Destination Resource Group can be selected from the drop-down menu if it is 
created already; otherwise, it can be created using the Create A New Group option at 
the bottom right (see Figure 3-37). 


4. Accept the terms and click OK to start the resource movement. 
5. Because the resource group will change, any existing scripts that target resources in 
this resource group will no longer work until they have been updated. The Azure portal 


prompts you to confirm that you are aware of this change before you can continue with 
the move. 


Wrts machine 


Te 


Aesbobaty vet 


oig woss esha ty set 


Di wiwsa dväusdty vet 

i rotse Bab reyeton Set 

mE pornea eeni bak 

C iy Paton corppstenteesanrveten Ieicro4a deste yhoe fs 
DA mm tey aon 

Dg eris hae martae 

DR ems Dace aunty groue 


D enny 
O 4.a emnene 


| wrvferstand that sos ond scripts associated with moved resources wil mot WOR Ul | update there TO ute new resource IDs 


FIGURE 3-37 The Move Resources blade showing the related resources for a virtual machine 


MORE INFO HOWTO GET RESOURCE ID 


6. You can retrieve the resource ID using Azure portal, PowerShell, or CLI. To get the 
resource ID from Azure portal, you need to go to resource and then navigate to the 
resource’s properties. You will find the resource ID on the right side. 


MOREINFO SUPPORTED RESOURCES FOR MOVING 


Not all resources are fully supported moving between resource groups and subscrip- 
tions, and there are several caveats regarding virtual machines. See the following for more 
details at https://docs.microsoft.com/en-in/azure/azure-resource-manager/management/ 
move-support-resources. 
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Manage VM sizes 


There are many situations where the amount of compute processing your workload needs 
varies dramatically from day to day or even hour to hour. For example, in many organizations 
line of business (LOB) applications are used heavily during the workweek, but on the week- 
ends, they see little actual usage. Other examples are workloads that require more processing 
time due to scheduled events such as backups or maintenance windows where having more 
compute time may make it faster to complete these tasks. Azure provides purpose built virtual 
machine sizes. This means that each family is designed for specific purposes to make it easier 
for you to choose the right VM size for the right workload. 


The different types are: 


= General Purpose This size type is most suitable for small- to medium-scale 
development environments. It has a balanced CPU-to-memory ratio. As name suggest 
recommended for a general use. 


= Compute Optimized This size type has a higher CPU compared to memory and can 
be used for CPU-intensive workloads in medium-scale environments. This is ideal for 
network appliances or batch processes in small environments. 


= Memory Optimized This size type provides higher memory compared to CPU and is 
ideal for medium-scale database servers. With high memory, these sizes can be used for 
caches, or it can used in memory analytics. 


= Storage Optimized This size type offers high disk throughput and IO, which makes 
it a good fit for large transactional databases, such as Cassandra, MongoDB, and so on. 
Also, it can be used for Big Data and data warehousing. 


= GPU Optimized This size type provides VMs with one or many NVIDIA GPUs. It pro- 
vides high compute and graphics, which are ideal for visualization workloads. 


= High Performance Compute This size type is capable of handling batch processing, 
molecular modeling, and fluid dynamics. This size type offers substantial CPU power 
and diverse options for low-latency RDMA networking using FDR InfiniBand and several 
memory configurations to support memory-intensive computational requirements. 


Azure virtual machines make it relatively easy to change the size of a virtual machine, even 
after it has been deployed. There are a few things to consider with this approach. 


The first consideration is to ensure that the region your VM is deployed to supports the 
instance size that you want to change the VM to. In most cases this is not an issue, but if you 
have a use case where the desired size isn’t in the region to which the existing VM is deployed, 
your only options are to either wait for the size to be supported in the region or to move the 
existing VM to a region that already supports it. 

The second consideration is whether the new size is supported in the current hardware clus- 
ter in which your VM is deployed. This can be determined by clicking the Size link in the virtual 
machine configuration blade in the Azure portal of a running virtual machine, as Figure 3-38 
demonstrates. If the size is available, you can select it. Changing the size reboots the virtual 
machine. 
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wexarnro(VPA | Size 


ie} examrefVM | Size 
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E Activity log Swe Small (9-6) © Gerwration 2 selected © 


General purpose © Premban disk : Supported ©- ty Add iter 
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FIGURE 3-38 Changing the size of an Azure virtual machine using the Azure portal 


If a desired size is not available, it means either the size is not available in the region or on 
the current hardware cluster. You can view the available sizes by region at https://azure.micro- 
soft.com/regions/services/ lf you need to change to a different hardware cluster, you must first 
stop the virtual machine, and if it is part of an availability set, you must stop all instances of the 
availability set at the same time. After all the VMs are stopped, you can then change the size, 
which moves all the VMs to the new hardware cluster as they are resized and started. All VMs 
in the availability set must be stopped before performing the resize operation to a size that 
requires different hardware because all running VMs in the availability set must use the same 
physical hardware cluster. Therefore, if you are required to change a physical hardware cluster 
in order to change the VM size, all VMs must be stopped and then restarted one-by-one to a 
different physical hardware cluster. 


MOREINFO VIRTUAL MACHINE SIZES 


There are a lot of considerations when choosing the correct virtual machine size. For more 
information on sizes in the context of Windows-based virtual machines see https://docs. 
microsoft.com/azure/virtual-machines/windows/sizes. For the Linux version of the article, 
see https://docs.microsoft.com/azure/virtual-machines/linux/sizes. 


Add data disks 


Adding a data disk to an existing Azure virtual machine using the Azure portal is almost identi- 
cal to the creation process. From within the virtual machine configuration blade, click Disks, 
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and then click Add Data Disk. This action will open the dialog displayed in Figure 3-39. From 
there, you can choose one of the existing disks that are available to attach, or you can click 
Create to create a new disk that will walk through the create disk user experience. 


Hore > wauerewVi | Dista 
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FIGURE 3-39 Adding data disk to an Azure virtual machine in the Azure portal 


If your virtual machine was created with managed disks enabled, you will see the Create A 
Managed Disk blade shown in Figure 3-40. From here, you can specify the Name of the disk, 
the Resource Group, the Source type, the OS type, Size and Encryption type. 


You can use the following source types to create a new managed disk: 


m Snapshot If selected, you can browse for snapshots in the current subscription and 
location. 


= Storage Blob If selected, you can browse storage accounts in all subscriptions you 
have access to, so you can select the VHD. 


m None If selected, anew empty VHD is created. 


¢, EXAM TIP 


If the virtual machine is deployed into an availability zone, use the Zone parameter with the 


New-AzDi skConfig cmdlet to specify which availability zone in which to create the disk if you 
are creating the disk using PowerShell. 


EXAM TIP 


9 


If the virtual machine is deployed into an availability zone, the disk is automatically placed 
into the same zone as the virtual machine using Azure CLI. 
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Home > examrefVM | Disks > Create a managed disk 


Create a managed disk 


Create a new disk to store applications and data on your VM. Disk pricing varies based on factors including disk 
size, storage type, and number of transactions. 


Disk name * © 
examrefDataDiskExample z 


Resource group * 


examrefRG v] 


Create new 


Source type © 
Storage blob Vv 


Source subscription 


Visual Studio Ultimate with MSDN v 


Source blob * © 


Browse 


OS type © 


( Windows Linux 


Size* © 
1024 GiB 
Premium SSD 


Change size 


Encryption type * 


| (Default) Encryption at-rest with a platform-managed key Vv ] 


FIGURE 3-40 The Create Managed Disk blade in the Azure portal 


Configure networking 


During the virtual machine provisioning process in the Azure portal you can set the following 
options using the Networking blade, as shown in Figure 3-41. 


m The virtual network, subnet, and the public IP address 

m The network security group for the network interface card (NIC) 
m The public inbound ports that should be open (if any) 

m If accelerated networking should be enabled 


m Ifthe VM should be included in an existing Azure Load Balancer back-end pool 
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Home > New > Create a virtual machine 


Create a virtual machine 


Basics Disks Networking Management Advanced Tags Review + create 


Define network connectivity for your virtual machine by configuring network interface card (NIC) settings. You can control 
ports, inbound and outbound connectivity with security group rules, or place behind an existing load balancing solution, 
Learn more 


Network interface 


When creating a virtual machine, a network interface will be created for you. 


Virtual network * © examrefRG-vnet Vv 


Create new 


Subnet * © | default (10.0.1.0/24) {v 
Manage subnet configuration 


Public IP-_ © | (new) examrefDemoVM-ip Vv 
Create new 
NIC network security group © O None © Basic O Advanced 
Public inbound ports * © © None O Allow selected ports 
It 
Accelerated networking © (O) oft 


The selected VM size does not support accelerated networking. 


Load balancing 


You can place this virtual machine in the backend pool of an existing Azure load balancing solution. Learn more 


Place this virtual machine behind an O ves @ No 
existing load balancing solution? 


<Previous | | Next: Management > _ | 


FIGURE 3-41 Specifying the networking options for a virtual machine during creation 


MOREINFO NETWORK SECURITY GROUPS 


A network security group (NSG) is a networking filter containing a list of security rules which 
control network traffic when applied. These rules can manage both inbound and outbound 
traffic. A network security group can be associated to a network interface, the subnet the net- 
work interface is in, or both. To simplify management of security rules, it’s recommended that 
whenever possible, you associate a network security group to individual subnets, rather than 
individual network interfaces within the subnet. You will learn more about NSGs in Chapter 4, 
“Configure and manage virtual networks.” 
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There are several networking features you need to understand to effectively use Azure 
virtual machines, as well as to prepare for the exam. In this chapter, you will learn some of 
these concepts; in Chapter 4, “Configure and manage virtual networking,” you will learn 


in-depth about virtual networks, network security groups, subnets, IP addresses, and DNS 
management. 


MOREINFO APPLICATION SECURITY GROUPS 


An application security group (ASG) enables you to define network security policies based on 
workloads with rules focused on applications instead of IP and network addresses. They allow 
you to group virtual machines with monikers and secure applications by filtering traffic from 
trusted segments of your network. Like NSGs, you will learn more about ASGs in Chapter 4, 
“Configure and manage virtual networks.” 


Accelerated networking 


Accelerated networking enables single root I/O virtualization (SR-IOV) to a virtual machine, 
which greatly improves its networking performance. This feature improves performance by 
bypassing the virtual switch between the host VM and the physical switch. Figure 3-42 shows 
two deployments: The deployment on the left does not have accelerated networking, and the 
deployment on the right has accelerated networking enabled. 


Accelerated networking can be enabled at the time of creation or after the virtual machine 
is created, if the following pre-requisites are met: 


m The VM must bea supported size for accelerated networking. 


m The VM must use a supported Azure Gallery image (and use a supported kernel version 
if you are using Linux). You can use a custom image as long as you have the appropriate 
drivers. 


m All VMs in an availability set or VMSS must be stopped/deallocated before enabling 
accelerated networking on any NIC. 


Supported sizes: 


m Accelerated networking is supported on most general-purpose and compute- 
optimized instance sizes with two or more vCPUs. D/DSv2 and F/Fs series are 
supported. 


m On instances that support hyperthreading, accelerated networking is supported on VM 
instances with four or more vCPUs. The following series are supported: D/DSv3, E/ESv3, 
Fsv2, and Ms/Mms. 


The following Windows-based images from the Azure Marketplace are supported: 
m Windows Server 2019 Datacenter 
m Windows Server 2016 Datacenter 


m Windows Server 2012 R2 Datacenter 
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FIGURE 3-42 Virtual machines deployed with and without accelerated networking enabled 


Supported Linux-based images from the Azure Marketplace: 
m Ubuntu 16.04 or later 

m Ubuntu 14.04 with the Linux-Azure kernel 

m SLES 12 SP3 or later 

m RHEL 7.4 or later 

m CentOS 7.4 or later 

m CoreOS Linux 

m Debian “Stretch” with backports kernel 

m Oracle Linux 7.4 and later with Red Hat Compatibility Kernel 
m Oracle Linux 7.5 and later with UEK version 5 

m FreeBSD 10.4, 11.1 and 12.0 


MOREINFO LEARNING MORE ABOUT ACCELERATED NETWORKING 
You can learn more about using accelerated networking on Windows- and Linux-based virtual 


machines: 


m Windows https://docs.microsoft.com/azure/virtual-network/create-vm- 
accelerated-networking-powershell. 


m Linux-based VMs _https://docs.microsoft.com/azure/virtual-network/create-vm- 
accelerated-networking-cli. 
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Connecting to virtual machines 


There are many ways to connect to virtual machines. You should consider options such as 
connecting to VMs using their public IP addresses and protecting VMs with network secu- 

rity groups and allowing only the port for the service you are connecting to. You should also 
understand how to connect to a VM on its private IP address. This introduces additional con- 
nectivity requirements, such as ExpressRoute, Site-to-Site VPN, or Point-to-Site VPN to put 
your client on the same network as your VMs. These technologies are discussed in Chapter 4. In 
this section, we'll review the most common tools to connect and manage your VMs. 


Authentication options 


For Windows-based virtual machines, usernames can be a maximum of 20 characters in length 
and cannot end ina period ("."). Many common usernames are blocked during the creation 
process. Examples of blocked account names include: 1, 123, a, admin, administrator, john, and 
several other easily guessable names. Passwords must be between 12 and 123 characters in 


length, and they must meet several complexity requirements. 


For Linux-based virtual machines, you can specify an existing SSH public key or a password 
when creating a Linux VM. Linux usernames must be between 1 and 32 characters in length, 
and passwords must be between 6 and 72 characters. Like Windows, certain easily guessable 
usernames and passwords are automatically blocked when creating through the Azure portal. 


If you choose to use the SSH public key option, you must enter (or paste in) the public key 
for your SSH certificate. You can create the SSH certificate using the following command: 


ssh-keygen -t rsa -b 2048 


To retrieve the public key for your new certificate, run the following command in a bash console: 


cat ~/.ssh/id_rsa.pub 


From there, copy all of the data starting with ssh-rsa and ending with the last character on 
the screen, pasting it into the SSH public key box while creating a virtual machine in the Azure 
portal. Make sure you don’t include any extra spaces. 


MORE INFO LEARN MORE ABOUT USERNAME AND PASSWORD REQUIREMENTS 


For information on username and password requirements on Windows VMs, see https://docs. 
microsoft.com/azure/virtual-machines/windows/faq or for Linux-based VM requirements, 
see: https://docs.microsoft.com/azure/virtual-machines/linux/faq. 


Add network interfaces 


A network interface enables an Azure virtual machine to communicate with the Internet, 
Azure, and on-premises resources. Common use cases for having multiple network interfaces 
are as follows: 


= Network and security function Multiple network interfaces enable virtual network 
appliances, such as load balancers, firewalls, and proxy servers. 
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= Networkisolation Common best practices include isolating public-facing services 
from internal networks. 


= Bandwidth isolation In certain cases, such as heartbeat signals, it is important to 
have isolated traffic to guarantee the minimal amount of bandwidth is available to the 
workload. 


To add a new network interface to an Azure virtual machine, click the Networking link in 
the left navigation pane of the virtual machine configuration blade and then click the Attach 
Network Interface link at the top. The following screen allows you to attach an existing net- 
work interface, or you can click Create And Attach Network Interface to create a new one. 
Figure 3-43 shows the blade for creating a new network interface. 


Home > Network interfaces > Create network interface 


Create network interface 


Basics Tags Review + create 


Create a network interface and attach it to a virtual machine. A network interface enables a virtual machine to communicate 
with Internet, Azure, and on-premises resources, Learn more about network interface 


Project details 


Subscription * Visual Studio Ultimate with MSON v 
Resource group * [ examrefRG v 
Create new 


Instance details 


Name * examrefNIC {v| 
Region * (Canada) Canada East v 
Virtual network © ExamRefVnet Vv 


Manage selected virtual network 


Subnet * © default (10.1,0.0/24) v | 
Private IP address assignment ( Dynamic ew 

Private IP address * | 10.1.0.100 ¥ 
Network security group © [ None g v] 
Private IP address (IPv6) O 


Previou | Next : Tags > Download a template for automation 


FIGURE 3-43 Creating a new network interface in the Azure portal 
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After the network interface is created, you must first deallocate the virtual machine before 
you can attach it. You can deallocate the VM by clicking Stop in the Azure portal or by using 
the command-line tools. Then you can attach network interface, as shown in Figure 3-44. 


Home > examrefVM | Networking 


& examrefVM | Networking 


| D Searc Ctri+ g Attach network interface 


KA Overview : Attach network interface 
Activity I z 
alsin 
M Access control (IAM) 
e Tags | examrefNIC Vv 


d Diagnose and solve problems 


Settings 


FIGURE 3-44 Attaching a new network interface to a virtual machine 


By default, the first network interface attached is defined as the primary network interface. 
All others are secondary. You can control which network interface you send outbound traffic 
to; by default, it will be the primary network interface. 


MOREINFO MULTIPLE NETWORK INTERFACES 


Beyond understanding the basics of adding network interfaces it is important to understand 
the nuances and constraints in this area. The Azure documentation does a great job of con- 
solidating and summarizing this information and you can read more about it at https://docs. 
microsoft.com/azure/virtual-network/virtual-network-network-interface-vm. 


Connecting to a Windows VM with remote desktop 


The default connectivity option for a Windows-based virtual machine is to use the remote 
desktop protocol (RDP) and a Remote Desktop client such as mstsc.exe. The RDP service listens 
on TCP port 3389 and provides full access to the Windows desktop. This service is enabled by 
default on all Windows-based VMs provisioned from the Azure Marketplace. The Azure portal 
provides a Connect button that will appear enabled for virtual machines that have a public IP 
address associated with them, as shown in Figure 3-45. You can also use Azure Bastion to con- 
nect to the Windows VM. Azure Bastion is discussed in detail in Chapter 4. 


You can launch a remote desktop session from Windows PowerShell by using the 
Get-AzRemoteDesktopFile cmdlet. The Get-AzRemoteDesktopFile cmdlet performs the same 
validation as the Azure portal. The API it calls validates that a public IP address is associ- 
ated with the virtual machine's network interface. If a public IP exists, it generates an . rdp file 
consumable with a Remote Desktop client. The . rdp file will have the IP address of the VIP and 
public port (3389) of the specified embedded virtual machine. There are two parameters that 
alter the behavior of what happens with the generated file. 
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Home > examrefVM 


EJ examrefVM 

[© Search (Ctrl e Connect Ç Restart [[] stop 

© overview RDP machine replication 
I 

E Activity log SSH refRG 

Pa, Access control (IAM) Bastion ng 


FIGURE 3-45 The Connect button for an Azure VM 


Use the Launch parameter to retrieve the .rdp file and immediately open it with a Remote 
Desktop client. The following example launches the Mstsc.exe (Remote Desktop client), and the 
client prompts you to initiate the connection. 
$rgName = "ExamRefRG" 


$vmName = "ExamRefVM" 
Get-AzRemoteDesktopFile -ResourceGroupName $rgName -Name $vmName -Launch 


The second behavior is to specify the LocalPath parameter, as the following example shows. 
Use this parameter to save the . rdp file locally for later use. 
$rgName = "ExamRefRG" 
$vmName = "ExamRefVM" 


$Path = "C:\Scratch\ExamRefVM. rdp" 
Get-AzRemoteDesktopFile -ResourceGroupName $rgName -Name $vmName -LocalPath $path 


Connecting to a Linux VM using SSH 


The default connectivity option for a Linux-based virtual machine is to use the secure shell (SSH) 
protocol. This service listens on TCP port 22 and provides full access to a command line shell. By 
default, this service is enabled on all Linux-based VMs. When you click the Connect button ona 
Linux-based virtual machine with a public IP associated with it, you see a dialog box advising you to 
use SSH to connect. Figure 3-46 shows how to connect via SSH to a virtual machine. You can also 
use Azure Bastion to connect to the Linux VM. Azure Bastion is discussed in detail in Chapter 4. 


If the virtual machine is configured for password access, SSH then prompts for the password 
for the user you specified. If you specified the public key for an SSH certificate during the cre- 
ation of the virtual machine, it attempts to use the certificate from the ~/.ssh folder. 

Windows users have many options for connecting using SSH. For example, if you install the 
Windows subsystem for Linux, you will also install an SSH client that can be accessed from the 
bash command line. You can also install one of many GUI-based SSH clients, such as PuTTY. For 
more about SSH certificate management and some available clients, see https://docs.microsoft. 
com/azure/virtual-machines/linux/ssh-from-windows 
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RDP SSH BASTION 


Connect via SSH with client 
1. Open the client of your choice, e.g. PuTTY or other clients , 
2. Ensure you have read-only access to the private key. 


chmod 400 examredadmin,pem D 


3. Provide a path to your SSH private key file. © 
Private key path 


-/.ssh/examredadmin 


4. Run the example command below to connect to your VM. 


ssh -i <private key path> ẹexamredadmin®40,86.218.216 D 


Can't connect? 


S Test your connection 


> Troubleshoot SSH connectivity issues 


FIGURE 3-46 Steps to connect to a virtual machine via SSH 


MORE INFO WINDOWS SUBSYSTEM FOR LINUX 


Windows Subsystem for Linux (knows as WSL) provides an way to run any Linux distributions 
on Windows 10. There are two versions: WSL1 and WSL2. You can find more details at https:// 
docs.microsoft.com/windows/wsl/install-win10. 


Redeploy VMs 


Redeploying the VM might help with troubleshooting issues, such as RDP or SSH connectivity 
or application access. When you redeploy a VM, it moves the VM to a new host within Azure 
and reenables. The Redeploy button is shown in Figure 3-47. 


res 
JA amran | Recepoy 


FIGURE 3-47 The redeploy blade in the Azure portal 
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To redeploy the VM using PowerShell, use the Set-AzvM cmdlet, as shown here: 


Set-AzVM -Redeploy -ResourceGroupName ExamRefRG -Name ExamRefVM 


To redeploy with the Azure CLI tools, use the az vm redeploy command: 


az vm redeploy --resource-group ExamRefRG --name ExamRefVM 


Skill 3.4: Create and configure containers 


Now that you have a clear understanding of virtual machines and their place in today’s techno- 
logical world, let's discuss another type of virtualization: Containers. 


Containers allow you to package an application and all its dependencies into a compressed 
package called an image. The image can then be uploaded to an image repository. You can 
then install a container runtime on your computer (or a VM) and point it to the image in the 
repository. The container runtime will download the image, extract it, and it will then create a 
container that hosts the application in an isolated environment. 


In addition to the application and its dependencies, a container also contains operating 
system services that the application requires. These operating system services are typically 
included using a lightweight version of the OS, such as Windows Server Core or Alpine Linux. 
The container doesn’t need the entire operating system because it uses the kernel of the host 
operating system. For that reason, you can’t run a Linux-based container on a Windows com- 
puter or vice versa. 


The most popular container runtime is Docker. You can install Docker on Windows, MacOS, 
or Linux. Docker also operates a popular image repository called Docker Hub. 


There are many advantages that companies may realize by using containers. Containers 
require fewer IT resources to deploy, run, and manage. Also, a single computer can run more 
containers than VMs, so hardware costs can be reduced. Perhaps the greatest advantage of 
containers is their flexibility. You can easily lift and shift an application between environments 
using containers, so moving an application from on-premises to the cloud is simplified. 


Azure has many services that utilize containers. In this chapter, we're going to cover two 
of them: Azure Container Instances and Azure Kubernetes Service. Azure Container Instances 
makes it easy to create containers in Azure. Simply point Azure Container Instances to a reposi- 
tory and it creates the container for you. It doesn’t require that you pay for a VM. Instead, 
Azure Container Instances is serverless. Once the container is running, you can access it using a 
public IP address or a DNS name label using the format /abel.azure_region.azurecontainer.io. 

Azure Kubernetes Service is a cloud-based implementation of the popular container 
orchestration service Kubernetes. Kubernetes runs on top of the container runtime, and it can 
help you to scale and manage a containerized deployment. Configuring Kubernetes on your 
own is complex and requires specialized knowledge. Using Azure Kubernetes Service is much 
simpler because Microsoft has done the heavy lifting for you. 
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This section covers how to: 
= Configure sizing and scaling for Azure Container Instances 
= Configure container groups for Azure Container Instances 
= Configure storage for Azure Kubernetes Service (AKS) 
= Configure scaling for AKS 
= Configure network connections for AKS 


m Upgrade an AKS cluster 


Configure sizing and scaling for Azure Container Instances 


You can create a container instance using the Azure portal or from the command line. One 


convenient way to create a container using ACI is Azure Cloud Shell. You can do this from 
within the Azure portal (as shown in Figure 3-48) or using the Azure mobile app. Cloud Shell 
allows you to use PowerShell or Bash, and you can use both the Azure CLI and the Az Power- 
Shell module to create and manage Azure resources. 


Microsoft Azure D Search resources, services, and docs (G+/) > Q 3 fe 2 
DEFAULT DinecToRY 


Azure services 


+ o y qÑ @®© = g 


Resource Quickstart Virtual App Services Storage SQL databases Azure Cosmos 


groups Center machines accounts oB 


Do 
see —- 
oe 
Kubernetes re service 
services 


Bash v| © ? D- SGH D -0x 


FIGURE 3-48 Azure Cloud Shell in the Azure portal 


To create a container in ACI using the CLI, you'll first need to know where the image you 
want to use is hosted. If you don’t have an image, Microsoft has a sample image you can use at 
https://mcr.microsoft.com/azuredocs/aci-helloworld. The CLI command shown below creates 
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a new container in the AZ104 resource group in the East US region using Microsoft's sample 
image. The container name is az104container. 


az container create -g AZ104 --name az104container --image mcr.microsoft.com/azuredocs/ 
aci-helloworld --dns-name-label az104-test --ports 80 


Once the container is up and running, it can be accessed with the URL http://az104-test. 
eastus.azurecontainer.io on port 80. 


To create the same container using PowerShell, you would run the following command. 


New-AzContainerGroup -ResourceGroupName AZ104 -Name az104container -Image mcr.microsoft. 
com/azuredocs/aci-helloworld -DnsNameLabel az104-test 


When these commands run, you are actually creating a container group and a container to 
run inside of that container group. A container group is the top-level object in ACI, and it rep- 
resents all the containers running on a particular computer. You can, in fact, deploy a container 
group that runs multiple containers, but doing so requires that you create a deployment in an 
ARM template. When multiple containers are in a container group, they share the same URL, so 
you'll need to specify a separate port for each container. 


EXAM TIP 

Multi-container container groups are currently only supported on Linux. A container group 
that hosts a Windows container can only contain that single container. Microsoft is working on 
feature parity between Linux and Windows containers, so this will likely change in the future. 


By default, a container instance will run on a machine with 1 CPU core and 1.5GB of memory. 
If you want to change the number of cores or amount of memory, you have to delete the exist- 
ing container and deploy a new one of the desired size. However, you can scale out by creating 
additional containers, and you can even use a workflow in Logic Apps to automate that based 
on conditions that you choose. 


EXAM TIP 


The largest image you can host in ACI is 15GB. You also cannot create a container that uses 
more than 4 CPU cores and 16GB of memory. 


Configure container groups for Azure Container Instances 


As stated earlier, a container runs inside of a container group. There may be cases where you 
need to update a container group. For example, you might need to change the DNS label for 
a container group. While you can always delete the container group and recreate it, doing so 
takes longer than simply updating the container group. 


To update a container group, use the same command you used to create the group, along 
with the new property value. If you specify an existing container group when you run your 
command, Azure will modify the property of the existing container group, and then it will 
restart the containers within your container group. 
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MORE INFO CONTAINER GROUP PROPERTIES 


Not all properties of a container group can be modified. Some properties require 
that you delete and redeploy the container group in order to change them. For 
more information, see https://docs.microsoft.com/en-us/azure/container-instances/ 
container-instances-update#properties-that-require-container-delete. 


Configure storage for Azure Kubernetes Service (AKS) 


As applications grow, they may span multiple services running in multiple containers, and 
these containers may be running on multiple servers. This complexity may become difficult 
to manage with Azure Container Instances. AKS includes an orchestrator that can help you to 
manage the complexity of a multi-container deployment. 


MOREINFO K8S 


Kubernetes is often shortened to “K8s,” with the “8” representing the 10 letters between the 
“K" and the “s.” You'll hear K8s pronounced different ways, but the most common pronuncia- 
tions are “kates,” “k-eights,” and “k 8 s.” 


AKS deployments run in a cluster, and each computer in the cluster is referred to as a node. 
There is a single node that’s responsible for the other nodes in the cluster, and that node is 
commonly referred to as the control plane. The other computers in the cluster are most com- 
monly referred to as nodes. 


Inside of a cluster, you'll find one or more containers. These containers run inside of a pod. A 
pod can run a single container, but it can also run multiple containers. When multiple con- 
tainers are running in a pod, they share storage and a single IP address. Therefore, if multiple 
containers require interoperability and the ability to share resources, it makes the most sense 
to deploy them all to the same pod. 


Before we can discuss scaling, sizing, or networking capabilities of AKS, we need to under- 
stand that any applications running in AKS may need to read and write data. Therefore, they 
will need storage. 


Azure Disks can be used for storage with AKS. To create and configure an Azure disk using 
the Azure CLI, use the code below. This command will create the disk and then display the ID of 
the disk in the output. 


az disk create --resource-group AZ-104 --name 104disk --size-gb 50 --query id --output tsv 


EXAM TIP 


The resource group you specify when creating your disk is the resource group for the AKS 
cluster. If you don’t know the resource group of your AKS cluster, you can use the az aks 
show command in the Azure CLI. 
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Azure Disks can only be used by a single pod. If you need to access storage across multiple 
pods, you should use Azure Files instead. When you use Azure Files, you'll be able to access 
your storage using an SMB path that any of your pods can use.Whether you use Azure Disks or 
Azure Files, if you create your storage as part of your pod, that storage will not exist when the 
pod is deleted. This is more impactful than you might think at first. Consider a situation where 
AKS determines your pod needs to be rescheduled on another host, a situation that's almost 
certain as part of orchestration. In such a situation, the data you're storing will not persist. If 
you require that the lifecycle of your stored data not be tied to the lifecycle of the pod, you 
should use persistent volumes instead. 

Persistent volumes can also use Azure Files or Azure Disks, and they can either be created by 
the AKS cluster administrator or by the Kubernetes API. Unlike non-persistent volumes created 
along with a pod, the persistent volume exists within the cluster, but outside of the pod. Kuber- 
netes connects the persistent volume to the pod using a persistent volume claim. The persistent 
volume claim contains information about what type, tier, and size of storage is required, and 
it's used when creating the Azure Files share or the Azure disk. 


Configure scaling for AKS 


Applications can demand varying workloads. In order to keep up with demand, you may need 
to add additional AKS nodes, increase resources of existing nodes, or create more instances of 
your application. 


AKS provides the ability to manually scale or to automatically scale, and you can scale at the 
cluster level when you need to scale nodes and at the pod level when you need to scale pods. 
You can even incorporate ACI into your AKS cluster in order to handle situations where you 
need to add additional nodes quickly. 


To manually scale your pods, you can use Kubectl, a command-line tool provided by Kuber- 
netes. You can access Kubectl from within the Azure CLI. Once you've opened the CLI and con- 
nected to your Azure subscription, run the following command to install Kubectl. 


az aks install-cli 


You'll then need to authenticate to your cluster by using the following command. Note that 
you specify the resource group and name of your AKS cluster in this command. 


az aks get-credentials --resource-group aks_rg --name aks_cluster 


Once you've done that, you can use Kubectl to scale your pod. The following command 
increases the number of pods in my az104 deployment to 3. 


kubectl scale --replicas=3 deployment/az104 


To manually scale your cluster and add additional nodes, you can use the Azure CLI or Pow- 
erShell. The following CLI command scales my cluster to three nodes. 


az aks scale --resource-group aks_rg --name aks_cluster --node-count 3 
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You can perform the same operation with PowerShell using the following command. 


Get-AzAksCluter -ResourceGroupName aks_rg -Name aks_cluster | Set-AzAksCluster 
-NodeCount 3 


Manually scaling can be convenient, but it’s much more likely that you'll want to scale based 
on the dynamic needs of your deployment. Kubernetes provides two autoscaler components 
to make it easy to configure auto-scaling; the horizontal pod autoscaler (HPA) and the cluster 
autoscaler. 


To use the HPA to scale your pods, use Kubectl to run the autoscale command on your 
deployment. The following example sets the az104 deployment to autoscale when CPU usage 
exceeds 60 percent of the CPU that it was configured for when it was deployed. The HPA will 
scale to a maximum of five pods and a minimum of two pods. 


kubect] autoscale deployment az104 --cpu-percent=60 --max=5 --min=2 


To use the cluster autoscaler to autoscale the number of nodes in your cluster, you can use 
the Azure CLI. The following command configures my AKS cluster for a maximum of five nodes 
and a minimum of one. 


az aks update --resource-group aks_rg --name aks_cluster --enable-cluster-autoscaler 
--max-count 5 --min-count 1 


Note that you can also include these settings when you create your cluster. 


EXAM TIP 


Under the hood, AKS uses Virtual Machine Scale Sets (VMSS) to implement cluster autoscal- 
ing. However, you should never attempt to interact with the VMSS directly. 


Configure network connections for AKS 


When creating an AKS cluster, you have two options for networking: kubenet and Azure 
Container Networking Interface (CNI). By default, AKS will use kubenet networking, also called 
basic networking. However, you can specify to use CNI (or advanced) networking if desired. 


When you use kubenet networking, each node in the cluster gets an IP address from the 
VNet subnet where the cluster is deployed. However, each pod within the cluster gets an 
internal IP address from an address space explicitly set aside for the pods. When you use CNI 
networking, both the nodes and the pods receive an IP address from the subnet. 

Kubenet does reduce the number of IP addresses you need for your cluster, but because 
all pods are using an IP address internal to the cluster, network address translation (NAT) is 
required in order for the pods to establish a network connection to other Azure resources. It 
also means that other VMs in Azure or on-premises can’t directly establish communication 
with those pods. 
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Whether you're using kubenet or CNI, there are challenges with networking in Kubernetes. 
Kubernetes is designed to orchestrate pods, and that means that it spins them up and tears 
them down as needed. Because of that, the IP addresses for your pods are constantly changing. 
For that reason, Kubernetes implements the concept of a service that sits between incoming 
network traffic and one or more identical pods. The service gets an IP address from a specific 
IP address pool set aside for services, and because the service is always running, it's not 
affected by pod lifecycle. 

When network traffic needs to reach a particular pod (for example, a pod running a website 
that needs to process an HTTP request), the traffic is received by the service. The service will 
then balance the traffic to the pods using a round robin algorithm. 


There are multiple service types. 
= Cluster IP Provides an internal IP address that can only be used within the AKS cluster. 


m NodePort Provides a port mapping on the node, allowing network traffic to reach 
the node using the specified port. (Note that a different port can then be used from the 
service to the actual pod.) 

m= LoadBalancer Provides an Azure Load Balancer and an external IP address to allow 
access to the node as per load balancing rules that are created. (Internal load balancers 
can be created to restrict access from the Internet.) 

= ExternalName Provides a DNS entry for AKS nodes. 

When using a LoadBalancer service type, the load balancer distributes traffic based on the 
originating port. However, there may be situations where you need more control over where 
traffic is routed. For example, suppose your cluster is hosting a web service, and you need 
traffic to be distributed to specific pods based on the incoming URL. A LoadBalancer service 
is unable to implement rules to deal with that, so in a case such as this, you can use an ingress 
controller to handle the traffic. 

You can use NGINX for an ingress controller in AKS, but you can also use other methods 
such as the AKS HTTP application routing feature or the Application Gateway Ingress Control- 
ler (AGIC) add-on. AGIC uses Application Gateway in Azure to make services in your cluster 
available over the Internet. 


MORE INFO 


Network security in an AKS cluster is handled using NSGs and network policy. Azure creates 
NSG rules for you as you create resources. Network policy is a feature in Kubernetes that 
enables you to control network traffic between pods. 


Upgrade an AKS cluster 


Kubernetes is constantly being updated, and whether it’s because you want to access new 
features or because you want to ensure you have all the latest bug fixes, you are likely going to 
need to upgrade your AKS cluster at some point. 
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The first step in upgrading a cluster is to determine whether updates are even available. You 
can do this easily using the Azure CLI with the following command. 


az aks get-upgrades --resource-group aks_rg --name aks_cluster 


The output of this command will be in JSON, and the upgrades section will show you any 
upgrades that are available. You can then upgrade your cluster using the following command. 


az aks upgrade --resource-group aks_rg --name aks_cluster --kubernetes-version 1.21.1 


AKS doesn't upgrade all the nodes in the cluster at one time because that can cause prob- 
lems with the applications running in the cluster. Instead, Kubernetes upgrades one node at a 
time. It first stops any pods from being scheduled on the node it's about to upgrade, and any 
pods that are currently running on that node are scheduled for other nodes. A new node is 
then created using the version of Kubernetes you've specific to upgrade to, and only when that 
node is ready and added to the cluster will new pods be scheduled to run on it. Once that’s 
done, Kubernetes deletes the node running the older version and begins the upgrade process 
on the next node in the cluster. This continues until all nodes are upgraded. 


EXAM TIP 


When upgrading an AKS cluster, you cannot skip minor versions. For example, you can't 
upgrade from version 1.19.3 to version 1.21.1. You would first have to upgrade to a 1.20 build 
and then upgrade again to version 1.21.1. 


Skill 3.5: Create and configure Azure App Service 


Azure App Service is a PaaS offering that makes it easy to host a web app in the cloud. How- 
ever, App Service isn't just for web apps. Any application that is designed to process HTTP 
requests can benefit from App Service. This makes App Service the ideal hosting platform for 
web apps, apps that expose REST APIs, and much more. 

App Service consists of a front-end load balancer that uses a round robin algorithm to dis- 
tribute requests to web servers. These web servers are called workers, and they are responsible 
for processing HTTP requests. You can run your app on Linux workers or Windows workers, 
and you can also choose the VM size used by your app. App Service offers both shared workers 
(shared with other App Service users) or dedicated workers that host only your apps. These 
configuration choices are part of an App Service plan that is used to host your apps. 


This section covers how to: 
m Create an App Service Plan 
= Configure scaling settings in an App Service plan 


m Create an App Service 
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m Secure an App Service 

= Configure custom domain names 

= Configure backup for an App Service 
= Configure networking settings 


= Configure deployment settings 


Create an App Service Plan 


Before you create a web app in App Service, you'll need to create your App Service plan. You 
can explicitly create an App Service plan, or you can opt for Azure to create it for you when you 
create your web app. 


To create an App Service plan in the Azure portal, select App Service Plan in the Azure 
Marketplace. Once you specify the resource group for the App Service plan, you can choose 
your operating system, region, and the pricing tier (VM SKU and size) for the App Service plan, 
as shown in Figure 3-49. 


Home > Create a resource > Marketplace 
Create App Service Plan 


Basics Tags Review + create 


App Service plans give you the flexibility to allocate specific apps to a given set of resources and further optimize your 
Azure resource utilization. This way, if you want to save money on your testing environment you can share a plan across 
multiple apps. Learn more B 

Project Details 


Select a subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage 
all your resources. 


Subscription * Vv 

Resource Group * © AZ104 v 
Create new 

App Service Plan details 

Name * MyAppServicePian P 

Operating System * @) Linux © Windows 

Region * Central US v 

Pricing Tier 


App Service plan pricing tier determines the location, features, cost and compute resources associated with your app. 
Learn more B 


Sku and size * Premium V2 P1v2 
210 total ACU, 3.5 GB memory 
Change size 


FIGURE 3-49 Creating an App Service plan 
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Configure scaling settings in an App Service plan 


One of the greatest benefits of App Service is the flexibility it provides for scaling applications. 
You can scale vertically (scale to a more or less powerful VM) or horizontally (add and remove 

workers) easily and quickly. Options for scaling are available on the menu when you open your 
App Service plan in the portal. 


MOREINFO SCALING IS ALWAYS THE SAME 


You'll also see scaling options in the menu after opening a web app in the portal. However, 
when you select these menu options, you're actually scaling the App Service plan the web app 
is running in. In other words, scaling is exactly the same whether you do it from within the App 
Service plan or the web app running in the App Service plan. 


To scale an App Service plan vertically, click the Scale up (App Service Plan) menu option 
in the portal, as shown in Figure 3-50. You can select either Dev/Test, Production, or Iso- 
lated, depending on your specific needs and Azure will show you recommended pricing tiers, 
along with other pricing tiers you can select. After you select the desired pricing tier, click 
Apply and your App Service plan will be immediately scaled to the selected tier. 


Home > Microsoft Web-ASP-Portal-2fe70ace-9218 > MyAppServicePlan 


tZ MyAppServicePlan | Scale up (App Service plan) 


Unux App 
Search (Cmd+/) 
D Overview 
Activity log 
Fa. Access control (IAM) 
@ Tags 
Ø Diagnose and solve problems 


© Events (preview) 


Settings 

+ Apps 

ñi File system storage 

©) Networking 

“© Seale up (App Service plan) 
E. Scale out (App Service plan) 
II! Properties 

A Locks 

Monitoring 

E Alens 


Included features 


Every app hosted on this App Service plan will have access to these 


fá Metrics 
P Logs 
ʻa Diagnostic settings (preview) 


features: 


Custom domains / SSL 
[e] Configure and purchase custom domains with SNI and IP SSL 
bindings 


“7 Mato scale 
Up to 20 instances. Subject to availabaity. 


FIGURE 3-50 Scaling up an App Service plan 


Every instance of your App Service plan will include the following 
hardware configuration: 


Azure Compute Units (ACU) 
E Dedicated compute resources used to run applications 
deployed in the App Service Plan. Learn more 


_, Memory 
C Memory per instance available to run applications deployed 
and running in the App Service plan. 
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When App Service scales your app to a new tier, it will take steps to ensure your applica- 
tion remains available during the scaling process. It will first allocate one or more VMs of the 
selected size and it will then copy any apps you have in the App Service plan to the new VMs. 
While this happens, the App Service front-end will continue to send any incoming requests to 
your current VMs. Only when your apps are on the new VMs and ready to process requests will 
the front-end start sending new requests to the new VMs. That might seem like it would take a 
bit of time, but in fact, App Service can perform all of these steps quickly. 

To scale an App Service plan horizontally, click the Scale Out (App Service Plan) menu 
option in the portal. You can then choose the number of instances (an instance is a VM) that 
you want to run. In Figure 3-51, an App Service plan is being scaled to three instances. To com- 
plete the scaling operation, click the Save button at the top of the screen. 


Home > Microsoft Web-ASP-Portal-2fe70ace-9218 MyAppServicePian 


a, MyAppServicePlan | Scale out (App Service plan) 


Search (Cmd+/) E] save X Discard C) Refresh P Feedback 


Overview Configure Run history JSON Notify Diagnostic settings 
Activity log Autoscale is a built-in feature that helps applications perform their best when demand changes You can choose to scale your 
resource manually to a specific instance count, or via a custom Autoscale policy that scales based on metric(s) thresholds, or schedule 
instance count which scales during designated time windows. Autoscale enables your resource to be performant and cost effective by 
adding and removing instances based on demand, Learn more about Azure Autoscale or view the how-to video 


Access control (IAM) 


Tags 


Diagnose and solve problems Choose how to scale your resource 


Events (preview) = Manual scale e fF! Custom autoscale 
Maintain a fixed instance >= Scale on any schedule, 
Settings count based on any metrics 


S Apps 
ti File system storage 
Networking Manual scale 
7 Scale up (App Service plan) Overnde condition 
1. Scale out (App Service plan) 
Instance count 


lI! Properties 


A Locks 


FIGURE 3-51 Scaling out an App Service plan 


EXAM TIP 


Remember that when an App Service plan runs on more than one instance, the front-end 
load balancer will use a round robin algorithm to load balance between all instances. 


In addition to manually scaling an App Service plan horizontally, you can also configure 
automatic scaling. Automatic scaling uses the autoscale service in Azure to automatically scale 
your App Service plan based upon specific metrics or specific dates and times. 

To configure autoscale, click the Custom Autoscale option in the Scale Out screen shown 
previously in Figure 3-51. After selecting the autoscale option, you can choose to scale based 
on a metric or scale to a specific instance count. These options are available in the Default 
scale condition, as shown in Figure 3-52. The Default scale condition applies only when no 
other scale conditions are matched. 
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Choose how to scale your resource 


== Manual scale F " Custom autoscale 
Maintain a fixed instance ===" Scale on any schedule, 
count based on any metrics 


Custom autoscale 


Autoscale setting name * MyAppServicePlan-Autoscale- 190 


Resource group AZ104 


Default* Auto created scale condition 


Delete warming @ The very last or default recurrence rule cannot be deleted. instead. you can 
dnabie 


autoscale to turn off autoscale. 


Scale mode © Scale based on a metric (@) Scale to a specific instance count 


Instance count® 1 


Schedule This scale condition is executed when none of the other scale condition(s) 
match 


+ Add a scale condition 


FIGURE 3-52 Configuring autoscale for an App Service plan 


To add anew scale condition, click the Add A Scale Condition link at the bottom of the 
screen. Just as with the default rule, you can specify to scale based on a metric or to scale toa 
specific instance count. When you choose to scale based on a metric, you must configure a rule 
for the metric you want to use. You do that by clicking the Add Rule link shown in Figure 3-53. 


Default* Auto created scale condition “” 


Scale mode O Scale based on a metric (®) Scale to a specific instance count 


Instance count* 1 


Schedule This scale condition is executed when none of the other scale condition(s) match 


Auto created scale condition 1 “7 


@) Scale based on a metric (C) Scale to a specific instance count 


@ No metric rules defined: click Add a rule to scale out and scale in your instances based on rules. 
For example ‘Add a rule that increases instance count by 1 when CPU percentage is above 
70%’. if you save the setting without any rules defined, no scaling will occur 
+ Add a rule 


Instance limits Minimum © 
1 
Default C 


Schedule (©) Specify start/end dates (C) Repeat specific days 


Timezone (UTC-06:00) Central Time (US & Canada) v 


Start date 06/07/2021 & | 12:00:00 AM 


End date 06/07/2021 E i| 11:59:00 PM 


+ Add a scale condition 


FIGURE 3-53 Configuring an autoscale condition 
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In Figure 3-54, a new scale rule is being created based on CPU utilization. An historical 
graph is displayed for the selected metric to make it easier to see the pattern for the metric. 
This particular rule is configured so that if CPU usage is greater than 70 percent for 10 minutes, 
autoscale will increase the number of instances by 1. After the App Service plan is scaled, auto- 
scale will wait for 5 minutes (the cool down time) before it will scale the app again. After those 
5 minutes, if CPU usage is still high enough to activate the rule, autoscale will increase the 
instance count by 1 again until it reaches the maximum number of instances, as shown previ- 
ously in Figure 3-53. 


Scale rule 
Time aggregation "© 
_ Average 


Metric namespace * Metric name 
App Service plans standard metrics VY || CPU Percentage 
1 minute time grain 
Dimension Name Operator Dimension Values 


Instance = Vv All values 


If you select multiple values for a dimension, autoscale will aggregate the metric across the 
selected values, not evaluate the metric for each values individually. 


CpuPercentage (Average) 
345 % 


g Enable metric divide by instance count 


Operator * Metric threshold to trigger scale action * ( 


Greater than v || 70 


Duration (in minutes) * 
10 


Time grain (in mins) © Time grain statistic * 


Average 


2 Action 


Operation * Cool down (minutes) * 


Increase count by vis 


Instance count * 


FIGURE 3-54 Configuring an autoscale rule 


Q ) EXAM TIP 
A 


When you configure an autoscale rule to scale out for a specific metric, you should also create 
another rule to scale in when that metric drops below your desired threshold. 
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Create an App Service 


So far, you've seen how to create an App Service plan. Now let's look at how you can create an 
App Service app that runs in that App Service plan. To create a new web app, search for Web 

App in the Azure Marketplace. When creating your web app, you'll specify a name for the app, 
as shown in Figure 3-55. 


Home > Create a resource 


Create Web App 


Marketplace > Web App 


Review + create 


Basics Deployment (Preview) 


Monitoring Tags 


App Service Web Apps lets you quickly build, deploy, and scale enterprise-grade web, mobile, and API apps running on 
any platform. Meet rigorous performance, scalability, security and compliance requirements while using a fully managed 
platform to perform infrastructure maintenance. Learn more Z 


Project Details 


Select a subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage 
all your resources. 


Subscription * ( 


Resource Group * AZ104 v 
Create new 
Instance Details 
Name * MyAz104App | 
azurewebsites.net 

Publish * ©) Code (©) Docker Container 
Runtime stack * NET Core 3,1 (LTS) vy 
Operating System * (@ Linux O Windows 
Region * Central US v 


@ Not finding your App Service Plan? Try a different region. 


App Service Plan 

App Service plan pricing tier determines the location, features, cost and compute resources associated with your app. 
Learn more E 

Linux Plan (Central US) * MyAppServicePian (P 1v2) v 


Create new 


Premium V2 Piv2 
210 total ACU, 3.5 GB memory 


Prev Next : Deployment (Preview) > 


Sku and size * 


FIGURE 3-55 Creating a web app 


You have the option of creating your app using your own code or to run a Docker container 
in your App Service plan. If you choose Code, you can select from a wide range of runtime 
stacks, including .NET, Java, Node, PHP, Ruby, and Python. In Figure 3-55, I've selected my 
existing App Service plan for this web app, but you can also create a new App Service plan by 
clicking Create New. Once everything is configured the way you want it, click Review + Create 
to create the web app. Once the web app has been created, you can access it by browsing to 


https://web_app_name.azurewebsites.net. 
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: If you don’t see an existing App Service plan when creating a new web app, make sure you 
have selected the OS that matches the App Service plan’s OS. You also need to ensure the 
region you select is the region where the App Service plan is deployed. 


Secure an App Service 


As is typical with a PaaS service, App Service makes it simple to implement security for your 
web app. You can secure you app with Azure Active Directory, and you can also easily imple- 
ment security using Facebook, Google, and Twitter so that users can authenticate to your app 
using their existing logins.on-premises 

To configure authentication, click the Authentication menu item after opening your web 
app in the Azure portal. When you first do this, you'll need to add an identity provider. In 
Figure 3-56, Facebook has been selected as the identity provider. The App ID and App Secret 
are from the Facebook developer's site. The Authentication setting has been set to Require 
Authentication, thereby preventing users from browsing my web app without logging in. 
Directly under that setting, unauthenticated requests are configured to redirect to Facebook 
so that users can log in. Once the settings are configured, click Add to add the provider. 


Home > Microsoft Web-WebApp-Portal-c651902f-8b37 > MyAz104App 


Add an identity provider 


Basics Scopes 


Identity provider * Facebook 


App registration 


An app registration associates your identity provider with your app. Enter the app registration information here, or go to 
your provider to create a new one. Learn more 


App ID * az104FB 


App secret * 771829875092802938409238493 


App Service authentication settings 


Requiring authentication ensures all users of your app will need to authenticate. If you allow unauthenticated requests, 
you'll need your own code for specific authentication requirements. Learn more 


Authentication * ©) Require authentication 


© Allow unauthenticated access 


Unauthenticated requests * ©) HTTP 302 Found redirect: recommended for websites 
© HTP 401 Unauthorized: recommended for APIs 
© HTTP 403 Forbidden 


Redirect to 


Token store Lv 


FIGURE 3-56 Configuring an identity provider to secure a web app 
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EXAM TIP 


App Service uses OAUTH authentication when configuring a third-party identity provider. 
Secrets that you provide to configure the provider are securely stored in Azure Key Vault. 


You can configure multiple identity providers for your app. However, doing so will require 
you to create a page that presents users with a list of authentication providers and links to 
sign in. For more information on doing this, see https://docs.microsoft.com/en-us/azure/ 
app-service/app-service-authentication-how-to#use-multiple-sign-in-providers. 


Configure custom domain names 


As | mentioned earlier, you can browse to your app in App Service using https://app_name. 
azurewebsites.net, but it's likely you'll want to use your own custom domain name. App Service 
makes using a custom domain easy. 


In order to map an existing custom domain to your web app, you'll need to go through a 
series of steps, some of which are carried out at your domain registrar's website. Therefore, 
some of the steps may differ slightly depending on your provider. 


Open your web app in the Azure portal and click Custom Domains in the menu. Once you 
do, you'll see the IP address and custom domain verification ID as shown in Figure 3-57. You'll 
use these to configure the DNS records at your domain registrar. 


Home > Microsoft. Web-WebApp-Portal-c651902f-6b37 > MyAz104App 


s= MyAz104App | Custom domains 


Search (Cmd+ Č) Refresh ~~ Troubleshoot FAQs 


® Overview 
E Activity log ® Custom Domains 


Aa. Access control (JAM) 
Configure and manage custom domains assigned to your app Learn more 


@ Togs 
IP address: 
@ Diagnose and solve problems ET 


© Security Custom Damain Venfication ID 
SEGEFB3200A477F6BF646C79CB2F9S 17440 


£ Events (preview) 
HTTPS Only: 


Deployment e ott 
= Add custom domain 
Sà Quickstart 


Deployment siots Status Filter 
© Deployment Conner ETD Not Secure (0) Secure (1) 
SSL STATE ASSIGNED CUSTOM DOMAINS SSL Binding 


© 


Settings 

II! Configuration 
Authentication 
Authentication (classic) 


ES App Service Domains 


identity Manage domains for your Azure services with auto-renew and privacy protection. Learn more 


Backups oo Buy App Service domain 
Custom domains DOMAINS 
TLS/SSL settings No data found 


Networking 


FIGURE 3-57 Configuring a custom domain in App Service 
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You'll need to create several DNS records at your domain registrar. 


= Arecord To map your root domain (mydomain.com), create an A record that maps a 
host of @ to the IP address shown in the Azure portal. 


= TxTrecord To verify ownership of your root domain, create a TXT record named asuid 
with a value of the custom domain verification ID shown in the Azure portal. 


m CNAME record To map a subdomain (www.mydomain.com), create a CNAME record 
that maps the desired subdomain (such as www) to the azurewebsites.net URL for your 
app. 

= TxTrecord To verify ownership of your domain, create a TXT record named asuid. 
subdomain (such as asuid.www) with a value of the custom domain verification ID shown in 
the Azure portal. 


Once you've created these records, you can proceed to add your custom domain in the 
Azure portal by clicking the Add Custom Domain link shown previously in Figure 3-57. After 
clicking the link, enter the custom domain you want to add and click the Validate button 
shown in Figure 3-58. 


Add custom domain 


myazl04app 


Custom domain * 


wvew.mycustomdomainname.com A 


Hostname record type 


CNAME (www.example.com or any subdomain) 


@) CNAME configuration 


A CNAME record is used to specify that a domain name is an alias 
for another domain. In your scenario, that would be mapping 
wvew.mycustomdomainname.com to custom domain verification id 
below. Learn More 


Custom Domain Verification ID: G 


"5E6EF8320DA477F6BF646C79CB2F9B 1744) 


CNAME 


ri] DNS propagation 


Please be aware that depending on your DNS provider it can take up 
to 48 hours for the DNS entry changes to propagate. You can verify 
that the DNS propagation is working as expected by using 
https://digwebinterface.com/. Learn more 


iv) Hostname availability 


(i) Domain ownership 


FIGURE 3-58 Adding a custom domain 
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As you can see in Figure 3-58, Domain Ownership shows an error icon. This is because 
the necessary DNS records have not yet been configured for the custom domain specified. 
Once those records have been created and propagated, | can click Validate again to retry. 
Once domain ownership is verified by the DNS records, the Add Custom Domain button will 
become enabled. 


EXAM TIP 

If you don’t already own a custom domain name, you can use App Service domains to buy 
and configure a custom domain name. App Service domains are fully managed in Azure, and 
they're the easiest way to configure a custom domain. 

To create an App Service domain, search for App Service Domains in the Azure portal or 
click the link on the Custom Domains screen for your web app. 


Configure backup for an App Service 


App Service provides easy backup and restore of your apps. These backups can be created 
manually, or they can be scheduled on a regular basis. Backups can be retained for an indefi- 
nite amount of time. 


When you back up your app, App Service can back up not only the app’s content and con- 
figuration, but it can also back up SQL Database, Azure Database for MySQL, Azure Database 
for PostreSQL, and MySQL in-app databases. 


MOREINFO MYSQLIN-APP 


MySQL in-app is a feature of App Service that provides a file-based MySQL database for use in 
your app. 


App Service backups are stored in Azure storage, and each backup is a complete copy of the 
app. Backups are not incremental. 


You can manually back up your app by clicking on the Backups menu option and clicking 
on Backup as shown in Figure 3-59. Note that if you haven't already configured the storage 
account for your backups, you'll first need to do that. 


Once you've created a backup, you can restore the backup by clicking Restore. You can 
choose to overwrite your existing app or restore the backup to a new app. If you'd prefer, 
you can create a scheduled backup so that App Service backs up your app automatically at 
configured times. To configure a backup schedule, click the banner shown previously in Figure 
3-59. When you do, you'll see the backup configuration screen where you can click Scheduled 
Backup to define a backup schedule as shown in Figure 3-60. 
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Home > Microsoft Web-WebApp-Portal-c6S1902f-8b37 > MyAz1O4App 


2 MyAZtOsApp | Backups 


Search (Cmd+/) 


@ Overview 


E Activity log 


PA Access control QAM) 


@ Tags 


Ê Diagnose and solve problems 


« Ø Configure ©) Refresh © Reset FAQs 


© suprot orere 
Snapshots 


automatically create periodic restore points of your app when hosted in a Premium App Service 
plan Learn more 


Ê w 


backup to create restorable archive copies of your apps content, configuration and database 


Learn more 
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FIGURE 3-59 Backing up a web app 
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Configure the schedule for your app backup. 
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Select the databases to include with your backup, The backup database list is based on the app’s configured connection 
strings. Note: The maximum size of content + database backup cannot exceed 10GB. if your database is large and growing, 
use Azure Backup for database backup instead. 


C include in Backup Connection String Name Database Type 


No supported connection strings of type SQL Database or MySQL found configured in app. 
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FIGURE 3-60 Configuring a backup schedule 


Once you configure your desired settings, click Save to save the schedule. 
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EXAM TIP 


If you want to keep your scheduled backup for an indefinite amount of time, set the Reten- 
tion Days to 0. 


App Service backups cannot exceed 10 GB, and that includes the app’s content and any 
databases. It's also important to remember that you have to be running your App Service plan 
in the Standard tier or higher. Backup is not available for lower tiers. 


Configure networking settings 


There are several features in App Service that enable certain networking scenarios. These 
features include: 


m VNet integration Enables outgoing communication from your app into your Azure 
virtual network. 


m Private Endpoint connections Enables connectivity to your app from private end- 
points using Azure Private Link. 


= Hybrid connections Enables outgoing communication from your app to an endpoint 
using a TCP connection. The host can be located practically anywhere. 


It's relatively common for an app in App Service to need access to other Azure resources 
running inside of a VNet. By configuring VNet integration with your web app, you can easily 
connect your app to your existing VNet. 


To configure VNet integration, click the Networking menu for your web app in the portal 
and then click the link to configure VNet integration. Click Add VNet and select your existing 
VNet and subnet as shown in Figure 3-61. Click OK to add the VNet. 


Home > MyAz104App Network Feature Status 
2> VNet Integration a 


myaz\04app 
Subscription 
Retresh 


Virtual Network 
az104VNet (Central us) 


“4 ° > VNet Configuration 


Subnet 
Securely access resources available in or through your Azure V? (_) Create New Subnet (@) Select Existing 


Subnet 
+ Add vnet 
default (10.000 - 10.0.0.255) 


VNet Details 


VNet NAME Not Configured 


LOCATION Not Configured 


VNet Address Space 
Start Address 


Not Configured 


FIGURE 3-61 Configuring VNet integration with a web app 
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Once you've added your VNet, your app can then make outgoing connections to the VNet. 


If you want to provide a secure connection to your app, you can configure private end- 
points. Private endpoints enable to you connect securely to resources running in an Azure 
VNet or on-premises resources using either VPN or ExpressRoute. 


To configure private endpoint connections, click the link to configure private endpoint 
connections in the Networking screen of your web app. You can then click Add to add a new 
private endpoint, as shown in Figure 3-62. 


Se a ae Add Private Endpoint 
<l, Private Endpoint connections 


Name * 


| 104PE 


Subscription * 


< l > Private Endpoint connections 


Virtual network * 


| az104VNet v] 


Private access to services hosted on the Azure platform, keepin 


Filter by name or description Subnet * 


Connection name ? Connection state Ty PeSubnet = 


@ if you have a network security group (NSG) enabled for the subnet above, it will be disabled 
for private endpoints on this subnet only. Other resources on the subnet will still have NSG 
enforcement. 


No results. 


Integrate with private DNS zone 
O No (@) Yes 


@ Your private endpoint will be integrated with the private DNS zone 
‘privatelink.azurewebsites.net' in the resource group of the selected subnet. If the private 
DNS zone does not exist, it will be created automatically. Learn more 


FIGURE 3-62 Configuring a private endpoint 


After you enter the endpoint name, select your VNet and subnet before clicking OK to add 
the endpoint. After doing that, a network device on your VNet can access your web app using 
Private Link, and that connection will be sent over the Azure backbone infrastructure rather 
than the public Internet. 


Hybrid connections enable your web app to access a resource on another network without 
complicated configuration. They're often used to access an on-premises resource from a web 
app. Hybrid connections rely on the installation of the Hybrid Connection Manager (HCM) 
on the host you're attempting to access. The HCM handles the communication between the 
remote host and the web app, and because this communication happens over standard web 
ports, a hybrid connection usually doesn’t require any ports to be opened on a firewall. 


To configure a hybrid connection, click the link to configure hybrid connections in the Net- 
working screen of your web app. As shown in Figure 3-63, from this screen, you can download 
the HCM and you can also add a new hybrid connection. 
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Home > AZ104 > MyAz104App 


3) Hybrid connections 


myaz104app 


J Refresh 


@ Hybrid connections 


App Service integration with hybrid connections enables your app to access a single TCP endpoint per hybrid connection. Here you 
can manage the new and classic hybrid connections used by your app. Learn more 


App service plan (pricing tier): Connections used: 
MyAppServicePlan (PremiumV2) 


Location; 
Central US 


L Download connection manager 


+ Add hybrid connection © 
Name 


No results 


FIGURE 3-63 Hybrid connections with a web app 


After clicking the Add Hybrid Connection link, click Create New Hybrid Connection to 
display the screen to create a hybrid connection as shown in Figure 3-64. 


Home > AZ104 > MyAzi04App > Hybrid connections Create new hybrid connection 
3) Add hybrid connection 


myaz104app 
Hybrid connection Name * C 
az104he 


© Create new hybrid connection 


A Endpoint Host * C 
@ Add hybrid connection onpremisedbserver 


Endpoint Port * © 
3306 


To use a hybrid connection with your app select it from the list and 
hybrid connection’ if you need to create a new one. 


Name Host Port Servicebus namespace * C 


©) Create new Select existing 
No results 


Location * 


East US 


Name * 


az104ns 


FIGURE 3-64 Adding a new hybrid connection 


Give your hybrid connection a name that you can easily identify. The endpoint host you 
specify is usually going to be the NetBIOS name of the server you're connecting to. For exam- 
ple, in Figure 3-64, l'm connecting to an on-premises database server with a name of onpre- 
misedbserver. The endpoint port is configured to 3306 because my database server is running 
MySQL, and that’s the port that MySQL uses for incoming connections. 
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Note that a Service Bus namespace has also been configured. This is because hybrid con- 
nections use Service Bus for communication. It's important that your Service Bus namespace 
be in the same region as your web app in order to avoid latency. 


EXAM TIP 

The HCM doesn't have to be installed on the host you specify for your hybrid connection. 
It does, however, need to be installed on a server that can successfully resolve the endpoint 
host. This means that you can use hybrid connections to connect to on-premises servers 
that aren't even connected to the Internet as long as they can connect to the server where 
the HCM is installed. 


Configure deployment settings 


App Service provides numerous options for deploying your app, but before we get into those 
options, we first need to discuss a feature called deployment slots. 

Deployment slots allow you to create another app with its own hostname in your App 
Service plan. You can use a deployment slot to test a new version of an app, and once you're 
satisfied with the new version, you can easily swap the test deployment slot into production. 
You can even configure App Service to send a percentage of live traffic to a deployment slot 
for testing. 

To create a new deployment slot, click the Deployment Slots menu option for your web 
app. Click Add Slot to add a new deployment slot, as shown in Figure 3-65. 


Add a slot 
Deployment slots 


myaz104app-privatetesting.azurewebsites.net 


zE ereen | 


ols meos 


Deployment slots are live apps with their c 
deployment slots, including the production 
NAME STATUS 
myaz104app Running 
myaz104app-staging Running 


FIGURE 3-65 Adding a deployment slot 
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Enter the name you want to use for your deployment slot. Once you've added the slot, you 
can browse to it using this URL: https://app_name-slot_name.azurewebsites.net. You can also 
choose to clone settings from another deployment slot. Once you've entered the necessary 
information, click Add to add the slot and click Close to close the Add A Slot screen. 


Once you've added your deployment slot, you can deploy a test version of your app to that 
slot. You can then easily configure a certain portion of live traffic to be distributed to that slot. 
In Figure 3-66, 30 percent of my live traffic is configured to go to the staging deployment slot. 


Home > MyAz104App 


= MyAz104App | Deployment slots 


App Serce 


+ cost “aswp Logs) Refresh 


Deployment slots are live apps with their own hostnames. App content and configurations elements can be swapped 
between two deployment slots, including the production slot. 


myaz104app-staging 


FIGURE 3-66 Configuring deployment slot traffic 


It's important to understand that each deployment slot is its own web app. If I click the stag- 
ing slot shown in Figure 3-66, it will open that web app in the Azure portal, and any changes 
| make apply only to the staging slot. This concept will be important to understand when we 
cover deployment options later in this section. 


After testing the staging slot, | can easily move it into production by clicking the Swap 
button at the top of the screen. | can then select the source slot, the target slot, and review 
changes that will take place based on my settings, as shown in Figure 3-67. 


Home > MyAz104App Swap 

= MyAz104App | Dey 
App Service © Source 

imyaz104app-staging 


© wot CED 
myaz104app 


Perform swap with preview 


Config Changes 
This is a summary of the final set of configuration changes on the source and target deployment siots 


© Target Changes 


NEW VALUE 


Not set 


FIGURE 3-67 Swapping a slot 
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When I'm ready to complete the swap, | click the Swap button at the bottom of the screen, 
and App Service takes care of the rest. 


Once you configure deployment slots, you'll typically always deploy new code into the stag- 
ing slot. To configure deployment for that slot, click the staging slot in the Deployment Slots 
screen shown previously in Figure 3-66. This will open the staging slot’s web app in the Azure 
portal, as | mentioned previously. 


After opening the staging slot, click Deployment Center in the menu to display the 
Deployment Center, as shown in Figure 3-68. 


Home > MyAzl04App > staging (myaz104app/staging) 
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FIGURE 3-68 The Deployment Center 


One of the most common deployment options is to use continuous integration and contin- 
uous deployment (CI/CD). When using this option, you use a source repository such as GitHub, 
Bitbucket, or a local Git repository. Whenever you push new code to the source repository, 
it will automatically publish that new code to your web app. To configure CI/CD, select your 
source code repository from the drop-down menu and follow the prompts. 


App Service also supports deployment using FTPS, and you can find the credentials and 
other information necessary to use FTPS deployment by clicking the FTPS Credentials tab 
shown previously in Figure 3-68. 


Finally, you can deploy to your web app using tools such as Visual Studio, Visual Studio 
Code, and others by using the publish profile. The publish profile is a configuration file that lists 
all the methods available for deployment, as well as the credentials necessary for connecting. 
Visual Studio and Visual Studio Code can both access this publish profile automatically for easy 
deployment, but you can also click Manage Publish Profile shown previously in Figure 3-68 if 
you want to download the file for use in other applications that support it. 
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MOREINFO KEEP THE PUBLISH PROFILE SECURE 


It’s important to keep the publish profile secured. It contains all the usernames and passwords 
possible to deploy to your web app using various deployment methods. IIf this file has become 
compromised, you can click Manage Publish Profile and reset these credentials. 


Thought experiment 


In this thought experiment, apply what you have learned in this chapter. You can find answers 
to these questions in the next section, “Though experiment answers.” 


Scenario 1 


You are the IT administrator for Contoso, and you are tasked with migrating an existing web 
farm and database to Microsoft Azure. The web application is written in PHP and is deployed 
across 20 physical servers running RedHat for the operating system and Apache for the web 
server. The backend consists of two physical servers running MySQL in an active/passive 
configuration. 


The solution must provide the ability to scale to at least as many web servers as the existing 
solution and ideally the number of web server instances should automatically adjust based on 
the demand. All the servers must be reachable on the same network, so the administrator can 
easily connect to them using SSH from a jumpbox (a VM which is exposed to public IP and used 
to connect to other VMs in the network using private IPs internally) to administer the VMs. 

Answer the following questions for your manager: 

1. Which compute option would be ideal for the web servers? 
2. How should the servers be configured for high availability? 


3. What would be the recommended storage configuration for the web servers? What 
about the database servers? 


4. What feature could be used to ensure that traffic to the VMs only goes to the appropri- 
ate services (Apache, MySQL, and SSH)? 


Scenario 2 


You are the solution architect for Contoso, and you must design a Python-based solution for 
hosting a web application in Microsoft Azure. Users must be able to access this application 
from multiple locations, and the application must be available around the clock. Also, the 
application should be implemented with DevOps capabilities, such as continuous deployment, 
package management, and the like. 


Thought experiment 
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Moreover, you don’t want to manage the infrastructure, and you want to avoid the adminis- 
tration as much as possible. You do not want to manage the Windows and software updates on 
your own. 


Answer the following questions about your solution: 
1. Which compute option would be ideal for hosting this web application? 
2. How will you avoid managing the infrastructure? 


3. How will you make sure your application is highly available? 


Thought experiment answers 


This section contains the solution to the thought experiment for the chapter. 


Scenario 1 


1. The web servers would be best served by deploying them into a virtual machine scale 
set (VMSS). Scaling should be configured on the VMSS to address the requirement of 
automatically scaling up/down the number of instances based on the demand (CPU) 
used on the web servers. 


2. The web servers should be deployed into their own availability set or availability zone if 
it is available within the region. The database tier should also be deployed into its own 
availability set or availability zone. 

3. The web servers will likely not be I/O intensive so Standard SSD should be appropriate. 
The database servers will likely be I/O intensive so Premium SSD is the recommended 
approach. To minimize management overhead and to ensure that storage capacity 
planning is done correctly managed disks should be used in both cases. 

4. Use Network Security Groups (NSGs) to ensure that only traffic destined for allowed 
services can communicate to the VMs. 


Scenario 2 


1. Azure App Service will be best suited for this set of requirements. You should deploy a 
Python web app to App Service on Linux. 


2. Azure App Service is a PaaS solution, so a managed infrastructure will host your applica- 
tion. You do not need to worry about the VMs on which the app is deployed. No addi- 
tional administration efforts are required to manage Windows and software updates. 


3. Azure App Service provides 99.95 percent availability for the Basic tier (or higher). 
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Chapter summary 


This chapter focused heavily on creating and configuring virtual machines in Azure as well as 
automated deployments using Azure Resource Manager templates and even the command 
line tools. The chapter wrapped up focusing on container services, such as AKS and ACI, fol- 
lowed by Azure App Service and App Service Plans. Let's review some of the key takeaways. 


m Each compute family is optimized for either general or specific workloads. You should 
optimize your VM by choosing the most appropriate size. 


m You can create VMs from the Azure portal, PowerShell, the CLI, and Azure Resource 
Manager templates. You should understand when to use which tool and how to con- 
figure the virtual machine resource during provisioning and after provisioning. For 
example, availability sets can only be set at provisioning time, but data disks can be 
added at any time. 


m You can connect to Azure VMs using a public IP address or a private IP address with RDP, 
SSH, or even PowerShell. To connect to a VM using a private IP, you must also enable 
connectivity such as site-to-site, point-to-site, or ExpressRoute. 


m The Custom Script Extension is commonly used to execute scripts on Windows or Linux- 
based VMs. The PowerShell DSC extension is used to apply desired state configurations 
to Windows-based VMs. 


= Acommon method of troubleshooting virtual machines with RDP/SSH connectivity or 
unexplained application issues is to redeploy the virtual machine. Redeploy moves the 
virtual machine to a different Azure node. 

m VM storage comes in Standard HDD, Standard SSD, Premium SSD, with Ultimate SSD in 
preview. Understanding which tier to choose for capacity and performance planning is 
important. 

m There are unmanaged and managed disks and images. The key difference between the 
two is with unmanaged disks or images it is up to you to manage the storage account. 
With managed disks, Azure takes care of this for you, so it greatly simplifies managing 
images and disks. 

m The Azure Diagnostics agent can be enabled on Windows and Linux virtual machines to 
capture diagnostic, performance, logs and boot diagnostic data. 

m Availability Zones provide high availability at the data center level. availability sets pro- 
vide high availability within a data center. 

m Managed disks provide additional availability over unmanaged disks by aligning with 
availability sets and providing storage in redundant storage units. 

m Virtual machine scale sets (VMSS), can scale up to 1,000 instances. You need to ensure 
that you create the VMSS configured for large scale sets if you intend to go above 100 
instances. There are several other limits to consider too. Using a custom image, you can 
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only create up to 300 instances. To scale above 100 instances, you must use the Standard 
SKU of the Azure Load Balancer or the Azure App Gateway. 


Azure Resource Manager templates are authored using JSON and allow you to define 
the configuration of resources, such as virtual machines, storage accounts, and so on in 
a declarative manner. 


Kubernetes is an open-source container management and orchestration system. 


Azure Kubernetes Service is a PaaS offering of Kubernetes running in Azure. It reduces 
the configuration and operational overhead of the cluster. 


Azure Container Instances are a way to quickly deploy isolated containers without 
worrying about backend infrastructure. 


App Service is a PaaS-hosting service that makes it easy to build applications that can 
process HTTP requests. 


An App Service plan offers computer resources to the web application for its execution. 
This App Service plan can be shared with multiple web apps, too. 
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Configure and manage virtual 
networking 


An Azure virtual network (or VNet) provides the foundation of the Azure networking infra- 
structure. Virtual machines are connected to virtual networks. This connection provides 
inbound and outbound connectivity to other virtual machines, to on-premises networks, 
and to the Internet. Azure provides many networking features that will be familiar to those 
already experienced in networking, such as the abilities to control which network flows are 
permitted and to control network routing. These features allow Azure deployments to imple- 
ment familiar network architectures, such as network segmentation between layers of an 
N-tier application. 


This chapter focuses on the core capabilities that allow you to connect your Azure virtual 
machines—flexibly and securely. 


Skills in this chapter: 
m Skill 4.1: Implement and manage virtual networking 
m Skill 4.2: Secure access to virtual networks 
m Skill 4.3: Configure load balancing 
m Skill 4.4: Monitor and troubleshoot virtual networking 


m Skill 4.5: Integrate an on-premises network with an Azure virtual network 


Skill 4.1: Implement and manage virtual networking 


Azure Virtual Networks (VNets) form the foundation of the Azure Networking infrastruc- 
ture. Each virtual network allows you to define a network space, comprising one or more 

IP address ranges. This network space is then carved into subnets. IP addresses for vir- 

tual machines, as well as some other services such as an internal Azure Load Balancer, are 
assigned from these subnets. Each subnet allows you to define which network flows are 
permitted (using Network Security Groups), and what network routes should be taken 
(using user-defined routes). Together, these features allow you to implement many common 
network topologies, such as a DMZ containing a network security appliance or a multi-tier 
application architecture with restricted communications between application tiers. 
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This section covers how to: 

= Create and configure virtual networks, including peering 
= Configure private and public IP addresses 

= Configure user-defined network routes 

m Implement subnets 


= Configure Azure DNS, including custom DNS settings and private or public 
DNS zones 


Create and configure a virtual networks and subnets 


A virtual network (VNet) is an Azure resource. When creating a VNet, the most important 
setting is the IP range (or ranges) the VNet will use. 


IP ranges are defined using classless inter-domain routing (CIDR) notation. For example, the 
range 10.5.0.0/16 represents all IP ranges starting with 10.5. (The /16 represents the bitmask 
and indicates that the first 16 bits are the same for every IP in the address range. Each virtual 
network can use either a single IP range or multiple disjointed IP ranges.) 


NOTE CIDR NOTATION 


You will need to understand CIDR notation to work effectively with virtual networks in 
Azure. There are many good explanations to be found online. For example, see https:// 
devblogs.microsoft.com/premier-developer/understanding-cidr-notation-when-designing- 
azure-virtual-networks-and-subnets/. 


NOTE VIRTUAL NETWORK IP RANGES 


It is normally a good idea to plan your network space in advance. Typically, you will want 
to avoid creating overlaps with other virtual networks or with on-premises environments 
because any overlap will prevent you from connecting these networks later. 


Your VNet IP ranges must be taken from the private address ranges defined in RFC 1918: 
m 10.0.0.0-10.255.255.255 (10.0.0.0/8) 

m 172.16.0.0-172.31.255.255 (172.16.0.0/12) 

m 192.168.0.0- 192.168.255.255 (192.168.0.0/16) 


You can also use public, Internet-addressable IP ranges in your VNet. However, this is not 
recommended because the addresses within your VNet will take priority, and virtual machines 
in your VNet will no longer be able to access the corresponding Internet addresses. 
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In addition, there are a small number of IP ranges reserved by the Azure platform and 
therefore, cannot be used: 


m 169.254.0.0/16 (Link-local) 
m 168.63.129.16/32 (Azure-provided DNS) 


Subnets 


Any Azure resource in a virtual network is deployed into a subnet. Subnets are used to divide 
the VNet IP space. Different subnets can have different network security and routing rules, 
enabling applications and application tiers to be isolated and network flows between them to 
be controlled. For example, consider a typical three-tier application architecture comprised 
of a web tier, an application tier, and a database tier. By implementing each tier as a separate 
subnet, you can control precisely which network flows are permitted between tiers and from 
the Internet. 


The name of a subnet must be unique within that VNet. You cannot change the subnet 
name after is has been created. 


Each subnet must also define a single network range (in CIDR format). This range must be 
contained within the IP ranges defined by the VNet. Only IP addresses from within the subnets 
can be assigned to virtual machines and other resources. Subnets do not have to span the 


entire VNet address space; subnets can be a subset, leaving unused space for future expansion. 


Azure will reserve couple of IP addresses from each subnet. Like standard IP networks, 
Azure reserves the first and last IP addresses in each subnet for network identification and 
broadcast, respectively. 

You are required to define one subnet when creating a VNet using the Azure portal. VNets 
typically can have multiple subnets, and you can add new subnets to your VNet at any time. 

You can't change the address range if there are resources already deployed to the subnet. If 
you want to make a change to a subnet's address range, you first must delete all the objects in 
that subnet. If the subnet is empty, you can change the range of addresses to any range that is 
within the address space of the VNet not assigned to any other subnets. 

Subnets can be only be deleted from VNets if they are empty. Once a subnet is deleted, the 
addresses that were part of that address range are released and available again for use within 
new subnets that you can create. 


Additional virtual network settings 


So far, we have focused on the most important settings of each VNet and subnet: the IP 
address ranges. There are some additional settings and features of VNets and subnets to also 
be aware of. Table 4-1 provides a summary of few settings supported by virtual networks. 
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TABLE 4-1 Properties of a virtual Network 


Property 


Name 


Location 


Address Space 


DNS settings 


Subnets 


Peerings 


Description 
The VNet name must be unique within the resource group, is between 2 and 
64 characters, and may contain letters (case insensitive), numbers, underscores, 


periods, or hyphens. It must start with a letter or number and end with a letter, 
number, or underscore. 


Each VNet is tied to a single Azure region and can only be used by resources (such as 
Virtual Machines) in the same region. 


An array of IP address ranges available for use by subnets. 


Contains an array of DNS servers. If specified, these DNS servers are configured on 
virtual machines in the virtual network in place of the Azure-provided DNS servers. 


The list of subnets configured for this VNet. 


The list of peerings configured for this VNet. Peerings are used to create network 
connectivity between separate VNets. 


Table 4-2 provides a summary of the settings supported by virtual network subnets. 


TABLE 4-2 Settings of a virtual network subnet 


Property 


Name 


Address range 


Network security 
group 


Route table 


Service endpoints 
(and policies) 


Delegations 


Description 


The subnet name must be unique within the VNet. It is between 2-80 characters and may 
contain letters (case insensitive), numbers, underscores, periods, or hyphens. It must 
start with a letter or number and must end with a letter, number, or underscore. 


The IP address range for a subnet, specified in CIDR notation. All subnets must sit within 
the VNet address space and cannot overlap. 


Reference to the network security group (NSG) for the subnet. NSGs can be associ- 
ated to a subnet and are used to control which inbound and outbound traffic flows are 
permitted. 


Route table applied to the subnet and used to override the default system routes. These 
are used to send traffic to destination networks that are different than the routes that 
Azure uses by default. 


An array of Service Endpoints for this subnet. Service Endpoints provide a direct route to 
various Azure PaaS services (such as Azure storage), without requiring an Internet-facing 
endpoint. Service Endpoint Policies provide further control over which instances of those 
services may be accessed. 


An array of references to delegations on the subnet. Delegations allow subnets to be 
used by certain Azure services, which will then deploy managed resources (such as an 
Azure SQL Database Managed Instance) into the subnet. Access to these resources is 
private and can be controlled using NSGs. Delegations also support access to and from 
on-premises networks when hybrid networking is used. 
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Creating a virtual network and subnets using the Azure portal 


To create a new VNet by using the Azure portal, first click Create A Resource on the home 
page and then select Networking. Next, click Virtual Network from the list. 


The Create Virtual Network blade opens. Here you can provide configuration information 
about the virtual network. This blade requires the following inputs, as shown in Figure 4-1. 


Subscription in which the VNet is created 
m The resource group where the VNet is created 
m Name of the virtual network 
m The location for VNet 
The following values are set automatically, though you can override them as needed: 
m Address space to be used for the VNet using CIDR notation 
m Subnet name for the first subnet in the VNet 


m The Address Range of the first Subnet 


Home > New 


Create virtual network 


Basics |P Addresses Security Tags Review + create 


Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of 
Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises 
networks. VNet is similar to a traditional network that you'd operate in your own data center, but brings with it additional 
benefits of Azure's infrastructure such as scale, availability, and isolation. Learn more about virtual network 


Project details 


Subscription * © Visual Studio Ultimate with MSDN Vv | 
Resource group * © (New) ExamRef-RG v | 
Create new 


Instance details 


Name * ExamRef-VNet # | 
Region * (Canada) Canada Central v 


FIGURE 4-1 Basics blade while creating virtual network 


On the next screen, you can supply address spaces to be used for the VNet using CIDR nota- 
tion. When creating a VNet using the Azure portal, you can specify multiple IP address ranges, 
and you can specify one or more subnets (see Figure 4-2). While creating subnet, you can also 
create the service endpoints if you desire to use any of the Azure Services. 


Skill 4.1: Implement and manage virtual networking CHAPTER 4 217 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


or 3 Ne Edit subnet x 
Create virtual network 
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FIGURE 4-2 Define subnets while creating virtual network 


The following blade also allows you to enable some additional settings, related to Bastion 
Host, DDoS protection, and the Azure Firewall service, as shown in Figure 4-3. 


Home > New > Virtual Network 


Create virtual network 


Basics IP Addresses Security Tags Review + create 


BastionHost © ©) Disable 
) Enable 

DDoS Protection Standard © ®) Disable 
an) Enable 

Firewall © ©) Disable 
O Enable 


FIGURE 4-3 Security blade while creating virtual network 


Once the VNet has completed provisioning, you can review the settings using the Azure 
portal. Notice the Apps subnet has been created as part of the inputs shown in Figure 4-4. 


To create another subnet in the VNet, click +Subnet on this blade and provide the following 
inputs, as shown in Figure 4-5: 


m The Name of the subnet 

m The IP Address Range (CIDR Block) 
m The NAT Gateway 

= The Network Security Group (if any) 
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m The Route Table (if any) 


m The Service Endpoints 


m The Subnet Delegation 


Overview 


Ê Diagnose sd solve probtems 
Settings 
Address space 
Ø Connected devices 
Subnets 
DOS protection 
Frewnt 


Søcuray 


DNS servers 
Poerings 


I Service endpoints 


by Prima eecipoims 


<> ExamRef-VNet | Subnets 


] « +> Subnet 


E Actnity log 
AR Access control (AN) Nome t4 
@ ag Apps 


F Gmewsysubnet C) Retresh 


iva Te IPvé (many available) #4  Oelegated to 7 Seowity group Ty 


101.00724 (257 mendabie) 


FIGURE 4-4 Subnets for ExamRef-VNet virtual network 


üg Add IPv6 address space © 


NAT gateway @ 


None 


Network security group 


None 
Route table 


None 


SERVICE ENDPOINTS 


Services © 
0 selected 
SUBNET DELEGATION 


A 


Delegate subnet to a service © 


None 


Add subnet x 
Name * 

Data v 
Subnet address range * © 

10.0.1.0/24 A 


10.0.1.0 - 10.0.1.255 (251 + 5 Azure reserved addresses) 


Create service endpoint policies to allow traffic to specific azure resources from your virtual network 
over service endpoints. Learn more 


FIGURE 4-5 Add Subnet blade, which is used to add a new subnet to an existing virtual network 
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Create and configure VNet peering 


VNet peering allows virtual machines in two separate virtual networks to communicate directly 
by using their private IP addresses. The VNets can either be in the same Azure region or in sep- 
arate Azure regions. Peering between VNets in different regions is called Global VNet peering. 
In all cases, traffic between peered VNets travels over the Microsoft backbone infrastructure, 
not the public Internet. 


NOTE VNET PEERING 


You can peer VNets in different subscriptions, even if those subscriptions are under different 
Azure Active Directory tenants. 


You can also use VNet peering to connect Resource Manager VNets to the older “classic” 
VNets. However, peering between two classic VNets is not supported. (A VNet-to-VNet VPN 
can be used in this case.) 


The peered VNets must have non-overlapping IP address spaces. In addition, the VNet 
address space cannot be modified once the VNet is peered with another VNet. 


MOREINFO PEERING REQUIREMENTS AND CONSTRAINTS 


There are a few requirements and constraints to keep in mind while peering the VNets, which 
are found here: https://docs.microsoft.com/azure/virtual-network/virtual-network-manage- 
peering#requirements-and-constraints\/Net peering provides the similar network perfor- 
mance between VMs as if they were placed in a single large VNet within the same region. 
There is no bandwidth cap imposed on peered VNets. The only limits are those on the VMs 
themselves, based on VM series and size. 


NOTE PEERING LIMITS 


Be aware of the limit of 500 peering connections per VNet. This is a hard limit. 


No VNet gateways are required by VNet peering. This avoids the cost, throughput limi- 
tations, additional latency, and additional incurred complexity associated with using VNet 
gateways, though you can use VNet gateways to connect to on-premises networks using 
gateway transit. 


NOTE GLOBAL PEERING LIMITATIONS WITH THE LOAD BALANCER’S BASIC TIER 


Global peering cannot be used to access the front-end IP of a basic internal Azure load- 
balancer in the remote virtual network. In these cases, a VNet-to-VNet VPN should be used 
instead. This limitation doesn’t apply with the standard tier of the Load Balancer. 
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There are no restrictions on connectivity between the peered VNets, so virtual machines in 
peered VNets can communicate with each other as if they were in the same VNet. In addition, 
the virtualNetwork service tag (described in Skill 4.3) spans the address space of both peered 
networks. 

Alternatively, you also have the option to limit connectivity by using the Allow Virtual 
Network Access option, there is no automatic outbound connectivity between peered VNets, 
and the virtualNetwork service tag does not include the address space of the peered VNet. In 
this case, you control the connectivity between peered virtual networks using network security 
groups. 

A simple example of VNet peering is shown in Figure 4-6. This shows two VNets which have 
been connected using VNet peering. This allows (for example), the WEB1 virtual machine in 
VNetA to connect to the MYSQL! database in VNetB. 


| 
I 
l MYSQL1 
I 10.2.1.4 
I 
WEB2 ' MYSQL2 
10.1.1.5 i Peering 10.2.1.5 
I 
I 
l 
l 
I 
| 
l 
l 


Data Subnet 
10.2.1.0/24 


Web Subnet 


10.1.1.0/24 


FIGURE 4-6 VNet Peering between two virtual networks 


Once peered, traffic between VMs is routed through the Microsoft backbone infrastructure. 
Traffic does not pass over the public Internet, even when using global VNet peering to connect 
VNets in different Azure regions. 

While global VNet peering allows for open connectivity between virtual machines across 
VNets in different Azure regions, a limitation is that a VM can only connect to the front-end 
IP address of a basic internal Azure Load Balancer in the same region. 

It is important to understand that VNet peering is a pairwise relationship between two 
virtual networks. To create connectivity across three virtual networks (VNetA, VNetB, and 
VNetC), all three pairs must be peered (VNetA to VNetB; VNetB to VNetC; and VNetA to 
VNetC). This is illustrated in Figure 4-7. 
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No Implied 


(A-C) 


FIGURE 4-7 VNet peerings do not have a transitive relationship 


Service chaining and hub-and-spoke networks 


A common way to reduce duplication of resources is to use a hub-and-spoke network topol- 
ogy. In this approach, shared resources (such as domain controllers, DNS servers, monitoring 
systems, and so on) are deployed into a dedicated hub VNet. These services are accessed from 
multiple applications, each deployed to their own separate spoke VNets. 


As you have just seen, VNet peering is not transitive. This means there is no automatic con- 
nectivity between spokes in a hub-and-spoke topology. Where such connectivity is required, 
one approach is to deploy additional VNet peerings between spokes. However, with a large 
number of spokes, this can quickly become unwieldy. 


An alternative approach is to deploy a network virtual appliance (NVA) into the hub through 
user-defined routes (UDRs) to route inter-spoke traffic through the NVA. This is known as 
service chaining, and it enables spoke-to-spoke communication without requiring additional 
VNet peerings, as illustrated in Figure 4-8. 


To transit traffic from one spoke VNet to another spoke VNet via an NVA in the hub VNet, 
the VNet peerings must be configured correctly. By default, a peering connection will only 
accept traffic originating from the VNet to which it is connected. This will not be the case for 
traffic forwarded between spoke VNets via an NVA in a hub VNet. To permit such traffic, the 
Allow Forwarded Traffic setting must be enabled for those VNet peerings. 


Sharing virtual network gateways 


Suppose you want two peered VNets, say VNet-A and VNet-B, want to send traffic to an exter- 
nal network via a virtual network gateway. Rather than deploy two virtual network gateways, it 
is much simpler and more cost-efficient for both VNets to share a single gateway. This can be 
achieved with local or global peering. 


Configure and manage virtual networking 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Route Ls] Ls] Route 
Table i D Table 
pr- "=. l 1 Network Appliance 1 => p= = ='!'= = = 

. l . 
Mmm [ss oe 
I 
I 
I 


Web Servers . 
Domain Controllers 


e 


Database 


zà Hub VNet 
< > 10.10.0.0/16 


I Z. Spoke VNetA I 4. \Spoke VNetB 
<-> 10.1.2.0/24 <-> 10.1.1.0/24 


FIGURE 4-8 Service chaining allows for the use of common services across VNet Peerings 


Suppose the virtual network gateway is deployed to VNet-A, allowing VNet-A to communi- 
cate with the external network. By default, only traffic originating in VNet-A is permitted to use 
this gateway, and the external network is only able to connect to VMs in VNet-A. To allow con- 
nectivity between VNet-B and the external network, the following settings must be configured: 


m Use Remote Gateways. This setting must be enabled on the peering connection from 
VNET-B to VNET-A. This informs VNET-B of the availability of the gateway in VNET-A. 
Note that to enable this setting, VNET-B cannot have its own virtual network gateway. 


= Allow Gateway Transit. This option must be enabled on the peering connection from 
VNET-A to VNET-B. This permits traffic from VNET-B to use VNET-A’s gateway to send traf- 
fic to the external network. Gateway transit can be used for S2S, P2S, and VNet to VNet. 


Note that in this case, the Allow Forwarded Traffic peering option is not required. 


Creating a VNet peering using the Azure portal 


To create a peering connection between two VNets, the VNets must already have been created 
and must not have overlapping address spaces. 


To create a new VNet peering from VNet1 to VNet2, connect to the Azure portal and locate 
VNet1. Under Settings, click Peerings, and then select +Add to open the Add Peering blade. 
Use the following steps to set up a standard peering connection, as shown in Figure 4-9. 


1. Choose a name for the peering from VNet1 to VNet2. In this example, we will use 
VNet1-to-VNet2. 


2. Enter the peer details. You can choose Resource Manager or Use Classic. In this 
example, we will choose Resource Manager. 


3. Select the subscription for VNet2 from the Subscription drop-down menu. 
4. From the Virtual Network dropdown, choose VNet2. 
5. Set the Name Of The Peering From Vnet2 To Vnet1 option to VNet2-To-VNett1. 
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©) TIP: KNOWN RESOURCE ID 


Alternatively, instead of entering a name, you can specify the peer VNet by selecting the 
I Know My Resource ID checkbox and entering the peer VNet resource ID. 


6. Select the following virtual network access settings: 
= Allow Virtual Network Access From VNet1 To VNet2. Enabled 
= Allow Virtual Network Access From VNet2 To VNet1. Enabled 
7. Select the forwarded traffic settings: 
= Allow Forwarded Traffic From VNet2 To VNet1. Disabled 
= Allow Forwarded Traffic From VNet1 To VNet2. Disabled 


8. Under Configure Gateway Transit Settings, leave Allow Gateway Transit unselected. 


Home > All resources > VNet? | Peerings 
Add peering 


VNet1 


i) For peering to work, a peering link must be created from VNet1 to VNet2 as well as from VNet2 to 
VNet1 


Name of the peering from VNet1 to VNet2 * 
VNet1-to-VNet2 v 


Peer details 
Virtual network deployment model © 


(@) Resource manager (_) Classic 


(D1 ! know my resource iD C 


Subscription * © 


| Visual Studio Ultimate with MSDN hd | 


Virtual network * 
[ VNet2 (ExamRef-RG) Vv | 


Name of the peering from VNet2 to VNet! * 
[ VNet2-t0-VNet? z] 


Configuration 

Configure virtual network access settings 

Allow virtual network access from VNeti to VNet2 © 
(Disabled GEED 


Allow virtual network access from VNet2 to VNeti © 
(isave CED 


Configure forwarded traffic settings 
Allow forwarded traffic from VNet2 to VNeti © 
ieee Enabled ) 


Allow forwarded traffic from VNetl to VNet2 C 


(GED Enables ) 


Configure gateway transit settings 
EJ Allow gateway transit © 


FIGURE 4-9 Adding peering from VNet1 to VNet2 using the Azure portal 
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9. Click OK to create the peering between VNet1 and VNet2. Once the peering has com- 
pleted provisioning, it will appear in Azure portal with the peering status as Connected 
to peer network VNet2, as shown in Figure 4-10. 


Name Peering status Peer Gateway transit 


VNetl-to-VNet Connected Net Disabled 


FIGURE 4-10 VNet1-to-VNet2 peering showing as Connected in the Azure portal 


10. Ifyou return to the peering blade of VNet2, you will see that the Peering Status of 
VNet2 to VNet1 shows as Connected (see Figure 4-11). 


Name Peering status Peer Gateway transit 


VNet2-to-VNet Connected Net Disabled 


FIGURE 4-11 VNet2-to-VNet1 peering showing as Connected in the Azure portal 


Now, VNet1 and VNet2 are peers, and VMs on these networks can communicate with each 
other as if this was a single virtual network. 


Configure private and public IP addresses 
and network interfaces 


VMs in Azure use TCP/IP to communicate with: services in Azure, other VMs you have deployed 
in Azure, on-premises networks, and the Internet. Just as a physical server uses a network 
interface card (NIC) to connect to a physical network, virtual machines use a network interface 
resource (also referred to as a NIC) to connect to a virtual network or the Internet. 


There are two types of IP addresses you can use in Azure: 
m Public IP addresses. Used for communication with the Internet 
m Private IP addresses. Used for communication within Azure virtual networks and 
connected on-premises networks 


This section focuses on how to deploy and manage private IP addresses and network 
interfaces. Public IP addresses are discussed in the next section. 


Network interfaces 


Both public and private IP addresses are configured on virtual machines using network inter- 
face resources. Therefore, to understand how to use public and private IP addresses with your 
virtual machine, you first must understand network interfaces. A network interface is a stand- 
alone Azure resource. Because its only purpose is to provide network connectivity for virtual 
machines, it is typically provisioned and deleted with its corresponding virtual machine. 


Just as a physical server can have more than one network card, you can associate multiple 
network interfaces with a single virtual machine. This is a common practice when configuring 
virtual machines to act as network virtual appliances. These appliances provide network security 
as well as routing and other features similar to physical network devices in a traditional network. 
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Table 4-3 details the settings of each network interface resource in Azure. 


TABLE 4-3 Network interface settings 


Setting Description 


Name This is the network interface name, which must be unique within the resource group. 
It can be between 1-80 characters, and it may contain letters (case insensitive), num- 
bers, underscores, periods, or hyphens. The name must start with a letter or number 
and end with a letter, number, or underscore. 


Location This is the location of the resource, and it must be the same as the location of 
any virtual network or any virtual machine to which the network interface will be 
connected. 

DNS Settings If specified, these DNS servers are configured on virtual machines in the virtual 


network in place of the Azure-provided DNS servers. This setting will override the 
VNet-level DNS settings, if both are specified. 


IP Forwarding Used to enable IP forwarding on this network interface. It allows the VM using 
the interface to receive traffic that is not sent to one of the IPs in the IP configura- 
tions. Also, it allows the VM to send traffic using an IP address that is not in the IP 
configurations. 


IP Configurations This is a list of IP configurations for the network interface. These are the most 
important settings, which contain the public and private IP addresses. 


Network Security This setting will display the name of any NSGs associated with this interface. 

Group 

Accelerated This setting is used to enable accelerated networking, though it is only supported on 
Networking certain VM sizes. 


The setting of the network interface is the IP configuration. This is where the public and 
private IP address settings are configured. Each network interface supports an array of 
IP configurations, which enables each network interface to support multiple IP addresses. 


Private IP addresses 


Private IP addresses are configured within the IP configurations of the network interface. They 
are not a separate resource. Each IP configuration specifies a single subnet, and the private 
IP address is allocated from the address space of that subnet. 


There are two methods used to assign private IP addresses: dynamic or static. The default 
allocation method is dynamic, where the IP address is automatically allocated from the 
resource’s subnet (using an Azure DHCP server). 


Dynamic allocation assigns private IP addresses from each subnet in order, starting with the 
lowest available IP in the subnet IP range. Remember that the first four IP addresses in each 
subnet are reserved by the Azure platform. For example, if the subnet is 10.10.0.0/24, the first 
private IP to be allocated will be 10.10.0.4 (because 10.10.0.0 to 10.10.0.3 are reserved). 


A Dynamically allocated IP address can change when you stop and start the associated 
virtual machine. To avoid this, private IP addresses can also be allocated statically. This is 
used where you want to control which IP address is assigned to a specific server and for that 
IP address to remain fixed. 
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Static private IP addresses are commonly used for: 
m Virtual machines that act as domain controllers or DNS servers 
m Resources that require firewall rules using IP addresses 


m Resources accessed by other apps/resources through an IP address explicitly, rather than 
a domain name 

To configure a static private IP address, simply specify the static IP allocation within the 
network interface IP configuration, together with the desired IP address. By default, when you 
change to static, Azure will assign the previously assigned dynamic IP address. 

When changing a private IP address, you might need to manually review and update 
the VM's network settings. For this reason, it is preferable to plan and specify static private 
IP addresses in advance when first provisioning the virtual machine. 


NOTE CONFIGURING STATIC PRIVATE IP ADDRESSES 

Static private IP addresses should only be configured in the Azure network interface resource. 
They will be assigned to the virtual machine using DHCP, just like with dynamic private 

IP addresses. 


Both IPv4 and IPv6 private IP addresses are supported. Each network interface must 
have one private IPv4 address assigned as the primary IP configuration. You can add one or 
more IPv4 address as secondary IP configurations. Each network interface can be assigned zero 
or a maximum of one private IPv6 address as a secondary IP configuration. 


NOTE DYNAMICAND STATIC PRIVATE IP ASSIGNMENT 


Private IPv4 address assignments can be either dynamic or static. Private IPv6 addresses can 


only be assigned dynamically. 


Enabling static private IP addresses on VMs with the Azure portal 


The network interface of a VM holds the configurations of the private IP address. This is known 
as the IP configuration. Using the Azure portal, you can modify the private IP address alloca- 
tion method for the IP configuration from dynamic to static. You can also use the Azure portal 
to manage other network interface settings, such as assigning network security groups, public 
IP addresses, and adding new IP configurations. 

Using the Azure portal, locate the network interface for the VM to be assigned a static 
IP address. Once the blade loads for the NIC, click IP Configurations and then select the 
IP configuration you want to update. The IP Configuration blade is shown in Figure 4-12. Here, 
you can update the private IP address allocation method to Static and specify the IP Address. 
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Home > ExamRef| Networking > examref913 | IP configurations 


ipconfig! 


examref913 


©) save X Discard 


Ay The virtual machine associated with this network interface will be restarted to utilize the 
new private IP address, The network interface will be re-provisioned and network 
configuration settings, including secondary IP addresses, subnet masks, and default 
gateway, will need to be manually reconfigured within the virtual machine. Learn more 
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Public IP address 
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FIGURE 4-12 Assigning a Static Private IP Address to a NIC 


Create and configure public IP addresses 


Associating a public IP address with a network interface creates an Internet-facing endpoint, 
allowing your virtual machine to receive network traffic directly from the Internet. 


A public IP address is a standalone Azure resource. This contrasts with a private IP address 
that exists only as a collection of settings on another resource, such as a network interface or 
a Load Balancer. 

To associate a public IP address with a virtual machine, the IP configuration of the net- 
work interface must be updated to contain a reference to the public IP address resource. As a 
standalone resource, public IP addresses can be created and deleted independently as well as 
moved from one virtual machine to another. 


Basic vs Standard Pricing Tiers 


Public IP addresses are available at two pricing tiers (or SKUs): Basic or Standard. All Public 
IP Addresses created before the introduction of these tiers are mapped to the Basic tier. 

The Standard tier Public IP Addresses support zone-redundant deployment, allowing you 
to use availability zones to protect your deployments against potential outages caused by data 
center-level failures (such as fire, power failure, or cooling failure). There are a number of other 
important differences between the two tiers, as summarized in Table 4-4. 
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TABLE 4-4 Comparison of public IP Address Basic and Standard Tiers 


Feature 


Allocation method 


Traffic restrictions 


Redundancy 


Public IP prefixes 


Basic Tier 


Supports both static and dynamic 
allocation methods. 


Open by default for inbound traffic. Use 
NSGs to restrict inbound or outbound 
traffic. 


Not zone redundant and doesn't support 
availability zone. 


Does not support public IP prefixes 
(discussed later). 


Standard Tier 


Supports static allocation only. 


Closed by default for inbound traffic. Use 
NSGs to allow inbound traffic and restrict 
outbound traffic. 


Zone redundant by default, or it can 
instead be assigned to a specific 
availability zone 


Supports public IP prefixes, allowing 
IP addresses to be assigned froma 


contiguous IP address block. 


Public IP address allocation 


As with private IP addresses, public IP addresses support both dynamic and static IP allocation. 
For the Basic tier, both static and dynamic allocation are supported, the default being dynamic. 
For the Standard tier, only static allocation is supported. 


Under dynamic allocation, an actual IP address is only allocated to the public IP address 
resource when the resource is in use—that is, when it is associated with a resource such as 
a running virtual machine. If the virtual machine is stopped (deallocated) or deleted, the 
IP address assigned to the public IP address resource is released and returned to the pool of 
available IP addresses managed by Azure. When you restart the virtual machine, a different 
IP address will most likely be assigned. 


If you want to retain the IP address, the public IP address resource should be configured 
to use static IP allocation. An IP address will be assigned immediately (if one was not already 
dynamically assigned). This IP address will never change, regardless of whether the associated 
virtual machine is stopped or deleted. 

Typically, static public IP addresses are used in scenarios where a dependency is defined by 
a particular IP address. For example, static IP addresses are commonly used in the following 
scenarios: 

m Where firewall rules specify an IP address 

m Where a DNS record would need to be updated when an IP address changes 


m Where the source IP address is used as a (weak) form of authentication of the traffic 
source 
m Where an SSL certificate specifies an explicit IP address rather than a domain name 
With private IP addresses, static allocation allows you to specify the IP address to use from 
the available subnet address range. In contrast, static allocation of public IP addresses does not 
allow you to specify which public IP address to use. Azure assigns the IP address from a pool of 
IP addresses in the Azure region where the resource is located. 
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Public IP address prefixes 

When using multiple public IP addresses, it can be convenient to have all of the IP addresses 
allocated from a single IP range or prefix. For example, when configuring firewall rules, this 
allows you to configure a single rule for the prefix, rather than separate rules for each IP address. 

To support this scenario, Azure allows you to reserve a public IP address prefix. Public IP 
address resources associated with that prefix will have their IP addresses assigned from that 
range, rather than from the general-purpose Azure pool. 

When creating a prefix, specify the prefix resource name, subnet size (for example, /28 for 
16 IP addresses), and the Azure region where the IP addresses will be allocated. 

Once the prefix is created, individual public IP addresses can be created that are associated 
with this prefix. Note that only standard-tier public IP addresses support allocation from a pre- 
fix, and thus only static allocation is supported. The IP address assigned to these resources will 
be taken from the prefix range—you cannot specify a specific IP address from the range. 


NOTE PREFIXES BENEFITS AND CONSTRAINTS 


m See the following links to the benefits and constraints of public IP address 
prefixes:Benefits: https://docs.microsoft.com/azure/virtual-network/public-ip-address- 
prefix#benefitsConstraints: https://docs.microsoft.com/azure/virtual-network/ 
public-ip-address-prefix#constraints 


DNS LABELS 

The Domain Name System (DNS) can be used to create a mapping from a domain name to an 
IP address. This allows you to reference IP address endpoints using a domain name, rather than 
using the assigned IP address directly. 


There are four ways to configure a DNS label for an Azure public IP address: 
1. By specifying the DNS name label property of the public IP address resource 


2. By creating a DNS A record in Azure DNS or a third-party DNS service hosting a DNS 
domain 

3. By creating a DNS CNAME record in Azure DNS or a third-party DNS service hosting a DNS 
domain 


4. By creating an alias record in Azure DNS 


SPECIFYING DNS NAME LABEL PROPERTY 

With this option, you specify the left-most part of the DNS label as a property in the public IP 
address resource. Azure provides the DNS suffix, which will be of the form <region>.cloudapp. 
azure.com. The DNS label you provide is concatenated with this suffix to form the fully qualified 
domain name (FQDN), which can be used to look up the IP address via a DNS query. 
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For example, if your public IP address is deployed to the Central US region, and you specify 
the DNS label contoso-app, then the FQDN will be contoso-app.centralus.cloudapp.azure.com. 


The major limitation of this approach is that the DNS suffix is taken from an Azure-provided 
DNS domain. It does not support the use of your own vanity domain, such as contoso.com. To 
address this, you will need to use one of the other approaches. 


CREATING A DNS A RECORD 

In this approach, you will have already hosted your vanity domain either in Azure DNS ora 
third-party DNS service. Using your hosting service, you can create a DNS entry in your vanity 
domain mapping to your public IP address resource. If you use a DNS A record, which maps 
directly to an IP address, you will need to update the DNS record if the assigned IP address 
changes. To avoid this, you will probably prefer using static rather than dynamic IP allocation. 


CREATING A DNS CNAME RECORD 

In this approach, you start by creating a DNS label for your public IP address. You then create 

a CNAME record in your vanity domain, which maps your chosen domain name to the Azure- 
provided DNS name. For example, you might map www.contoso.com to contoso-app.centralus. 
cloudapp.azure.com. This approach has the advantage of avoiding the need for static IP alloca- 
tion because the Azure-provided DNS entry updates automatically if the assigned IP address 
changes. However, the downside of this approach is that the Domain Name System does not 
support CNAME records at the apex (or root) of a DNS domain, which means while you can create 
a CNAME record for www.contoso.com, you cannot create one for contoso.com (without the www). 


CREATING AN ALIAS RECORD 

In this approach, your vanity domain must be hosted in Azure DNS. You can then create an 
alias record, which works the same as an A record, except that rather than specifying the 
assigned IP address value explicitly in the DNS record, you simply reference the public IP 
address resource. The assigned IP address is taken from this resource and automatically con- 
figured in your DNS alias record. With alias records, the DNS record is automatically updated if 
the assigned IP address changes, avoiding the need for static IP allocation. 


Outbound Internet connections 


When a public IP address is assigned to a virtual machine's network interface, outbound traf- 
fic to the Internet will be routed through that IP address. The recipient will see your public IP 
address as the source IP address for the connection. 

However, the virtual machine itself does not see the public IP address in its network 
settings—it only sees the private IP address. Traffic leaves the virtual machine via the private 
IP address, and Source Network Address Translation (SNAT) is used to map the outbound traf- 
fic from the private IP address to the public IP address. 

Note that a public IP address is not required for outbound Internet traffic. Even without a 
public IP address assigned, virtual machines can still make outbound Internet connections. In 
this case, SNAT is used to map the private IP address to the Internet-facing IP address. 
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IPv4 and IPv6 


Public IP address resources can use either an IPv4 or IPv6 address (but not both). Note that 
IPv6 support is limited as follows: 


m Only the Basic tier is supported. 


m Only dynamic allocation is supported. 


Creating a public IP address using the Azure portal 


Creating a new public IP address is a simple process when using Azure portal. Click New, and 
then search for public IP address in the marketplace. Like all resources in Azure, some details 
will be required, including the name of the resource, the SKU (or pricing tier), the DNS name 
label, idle time-out, subscription, resource group, and location/region. For the Basic SKU, you 
also specify the IP version and static or dynamic assignment. For the Standard SKU, choose 
between zone-redundant deployment or a specific availability zone. 


The location is critical, as an IP address must be in the same location/region as the vir- 
tual machine or other resource that will use it. Figure 4-13 shows the Azure Create Public 
IP Address blade. 


Configure network routes 


Network routes control how traffic is routed in your network. Azure provides default routing 
for common scenarios, with the ability to configure your own network routes where necessary. 


System routes 


Azure VMs that are in the same VNet can communicate automatically with each other and with 
the Internet without any explicit configuration changes, even when they are in different sub- 
nets. This is also the case for communication from the VMs to your on-premises network when 
a hybrid connection from Azure to your data center has been established. 


This ease of setup is made possible by what is known as system routes, which define how 
IP traffic flows in Azure VNets. The following are the default system routes that Azure will use 
and provide for you: 


m Within the same subnet 

= From one subnet to another within a VNet 

= VMs to the Internet 

m AVNetto another VNet through a VPN gateway (optional) 

= AVNet to another VNet through VNet peering (optional) 

= AVNet to your on-premises network through a VPN gateway or ExpressRoute (optional) 


m VirtualNetworkServiceEndpoint (optional) 
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Home > New > Public IP address > 


Create public IP address 


IP Version * © 


@) ipva C) ivé C) Both 
sku* © 


O Basic (O) Standard 


IPv4 IP Address Configuration 


Name * 


Exam-Ref-IP v 


IP address assignment 


\__) Dynamic ®) Static 


Idle timeout (minutes) * © 


O 


DNS name label © 


examref-ip v 


canadacentral.cloudapp.azure.com 


[+ 


Subscription * 


[ Visual Studio Ultimate with MSDN Vv 


Resource group * 


ExamRef-RG Vv 


Create new 


Location * 


(Canada) Canada Central v 


Availability zone * © 


Zone-redundant Vv 


Create Automation options 


FIGURE 4-13 Creating a Public IP Address in the Azure portal 


Figure 4-14 shows an example of how these system routes make it easy to get up and run- 
ning. System routes provide for most typical scenarios by default, without you having to make 


any routing configuration. 
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Internet 


Data Subnet 


l <-> Virtual Network 


FIGURE 4-14 N-Tier application deployed to Azure VNet using System Routes 


User-defined routes 


There are some use cases where you will want to configure the routing of packets differently 
from what is provided by the default system routes. One of these scenarios is when you want to 
send traffic through a network virtual appliance, such as a third-party Load Balancer, firewall, 
or router deployed into your VNet from the Azure Marketplace. 

To make this possible, you must create what are known as user-defined routes (UDRs). The 
UDR is implemented by creating a route table resource. Within the route table, a number of 
routes are configured. Each route specifies the destination IP range (in CIDR notation) and the 
next hop IP address. A variety of different types of next hop are supported: 

= Virtual Appliance. A virtual machine running a network application such as a load- 
balancer or firewall. With this next hop type, you also specify the IP address of the 
appliance, which can be a virtual machine or internal load-balancer for high-availability 
virtual appliances. 

m Virtual Network Gateway. Used to route traffic to a VPN Gateway (but not an 
ExpressRoute Gateway, which uses BGP for custom routes). Because there can be only 
one VPN Gateway associated with a VNet, you are not prompted to specify the actual 
gateway resource. 

= Virtual Network. Used to route traffic within the Virtual Network. 

m Internet. Used to route a specific IP address or prefix to the Internet. 

m None. Used to drop all traffic send to a given IP address or prefix. 


This route table is then associated with one or more subnets. Traffic originating in the 
subnet whose destination matches the destination IP range of a route table rule will instead 
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be routed to the corresponding next hop IP address. The service running at this IP address is 
responsible for all onward routing. 


NOTE ROUTE TABLES 


You can have multiple route tables, and the same route table can be associated to one or more 
subnets. Each subnet can only be associated to a single route table. All VMs in a subnet use the 
route table associated to that subnet. 


Figure 4-15 shows a UDR that has been created to direct outbound traffic via a virtual 
appliance. In this case the appliance is a firewall running as a VM in Azure in the DMZ subnet. 
The same appliance can also be used to filter traffic between the Apps and Data subnets. An 
example route table implementing this design is shown in Figure 4-16. 
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FIGURE 4-15 N-Tier application deployed with a firewall using user-defined routes 
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FIGURE 4-16 Route table rules forcing network traffic through a firewall 
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NOTE DEDICATED SUBNETS FOR NETWORK APPLIANCES 


Do not apply a route table to a subnet if the route table contains a rule with a next hop 
address within that subnet. To do so could create a routing loop. For this reason, virtual net- 
work appliances should be deployed to dedicated subnets, separate from the resources that 
route through that appliance. 


IP forwarding 


User-defined routes (UDR) allow for changing the default system routes that Azure creates for 
you in an Azure VNet. In the virtual appliance scenario, the UDRs forward traffic to a virtual 
appliance such as a firewall, which is running as an Azure virtual machine. 


By default, a virtual machine in Azure will not accept a network packet addressed to a 
different IP address. For that traffic to be allowed to pass into that virtual appliance, you 
must enable IP forwarding on the network interface of the virtual machine. This configura- 
tion doesn't typically involve any changes to the Azure UDR or VNet, but depending on the 
scenario, you might need to make some configuration changes in the VM's OS to enable this to 
work correctly. 


IP forwarding can be enabled on a network interface by using the Azure portal, PowerShell, 
or the Azure CLI. In Figure 4-17, you see that the network interface of the NGFW1 VM has the 
IP forwarding set as Enabled. This VM is now able to accept and send packets that were not 
originally intended for this VM. 
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FIGURE 4-17 |P forwarding enabled on network interface 


How routes are applied 


A given network packet may match multiple route table rules. When designing and imple- 
menting custom routes, it's important to understand the precedence rules that Azure applies. 
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If multiple routes contain the same address prefix, Azure selects the route type, based on 
the following priorities: 


1. User-defined routes 


2. System routes for traffic in a virtual network, across a virtual network peering, or to a 
virtual network service endpoint 


3. BGP routes 
4. Other system routes 


Within a single route table, a given network packet may match multiple routing rules. There 
is no explicit precedence order on the rules in a route table. Instead, precedence is given to the 
rule with the most specific match to the destination IP address. If an IP address matches two 
rules, the longest prefix match algorithm is used to select the route. 


For example, if a route table contains one rule for prefix 10.10.0.0/16, and another rule for 
10.10.30.0/28, then any traffic to IP address 10.10. 30.4 will be matched against the second rule 
in preference to the first. 


When troubleshooting networking issues, it can be useful to get a deeper insight into 
exactly which routes are being applied to a given network interface. The effective routes fea- 
ture of each network interface allows you to see the full details of every network route applied 
to that network interface, giving you full insight into how each outbound connection will be 
routed based on the destination IP address. 


Forced tunneling 


A special case is when routes are configured with the destination IP prefix 0.0.0.0/0. Given the 
precedence rules described above, this route controls traffic destined for any IP address is not 
covered by any other rules. 


By default, Azure implements a system route directing all traffic matching 0.0.0.0/0 (and 
not matching any other route) to the Internet. If you override this route, this traffic is instead 
directed to the next hop you specify. By using a VPN Gateway as the next hop, you can direct 
all Internet-bound traffic over your VPN connection to an on-premises network security appli- 
ance. This is known as forced tunneling. 


Configure user-defined routes using the Azure portal 


To configure user-defined routes, the first step is to create a route table resource. From the 
Azure portal, click +Create A Resource > Networking > Route Table to open the Create 
Route Table blade, as shown in Figure 4-18. Select the Subscription and Resource Group 
from the drop-down menus, fill in the route table Name and specify the route table Region, 
which must be the same Azure region that the subnets use with this route table. 


Having created the route table, the next step is to define the routes. Open the route table 
blade, and under Settings click Routes to open the list of routes in the route table. Then click 
+Add to open the Add Route blade, as shown in Figure 4-19. 
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Home > New > Marketplace > Route table 


Create Route table 


Basics Tags Review + create 


Project details 


Select the subscription to manage deployed resources and costs, Use resource groups like folders to organize and 
manage all your resources. 


Subscription * © Visual Studio Ultimate with MSDN v | 
Resource group * © ExamRef-RG v 
Create new 


Instance details 


Region* © Canada Central v | 


Name * © ExamRef-RouteTable v 


FIGURE 4-18 The Create Route Table blade in the Azure portal 
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ExamRef-RouteTable 


Route name * 


VNet3-Route {v 
Address prefix * © 

10.3.0.0/16 v 
Next hop type © 


Virtual appliance v | 
Next hop address * © 


10.2.20.4 s 


e Ensure you have IP forwarding enabled on your virtual appliance. You can enable this by navigating to 
the respective network interface's IP address settings. 


FIGURE 4-19 The Add Route Blade in the Azure portal 


Repeat this process for each custom route in the route table. The list of routes in the route 
table will be shown in the route table blade, as shown in Figure 4-20. 


Name Ts Address prefix TL Next hop type 


VNet3-Route 10.3.0.0/16 102.204 


FIGURE 4-20 The list of routes in the route table blade in the Azure portal 


The final step is to specify which subnets this route table should be associated with. This can 
be configured either from the subnet, or from the route table. In the latter case, from the route 
table blade under Settings, click Subnets to open the list of subnets associated with the route 
table. Click +Associate to open the Associate Subnet blade, as shown in Figure 4-21. 
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FIGURE 4-21 The Associate Subnet blade for a route table, in the Azure portal 


After creating the subnet association, the route table blade will show a list of associated 
subnets as shown in Figure 4-22. 
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FIGURE 4-22 The list of subnets in the route table blade in the Azure portal 


To see the effective routes for a given network interface, navigate to the network interface 
blade in the Azure portal and then click Effective Routes to open the Effective Routes blade, 
as shown in Figure 4-23. 
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FIGURE 4-23 The list effective routes for the examref913 network interface 


Configure endpoints on subnets 


Service endpoints are a mechanism to integrate Azure PaaS services into your virtual network 
and access them through a Microsoft Azure backbone network instead of over the Internet. 
Service endpoints prevent the exposure of data and services to Internet. Service endpoints can 
be enabled on subnets, and you can also add service endpoints to multiple subnets from the 
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virtual network settings. As of the time this book was published, service Endpoints are sup- 
ported for the following services: 


m Azure Storage 

m Azure SQL Databases 

m Azure Synapse Analytics 

m Azure SQL Data Warehouse 

m Azure Database for MySQL & MariaDB 
m Azure Cosmos DB 

m Azure Key Vault 

m Azure Service Bus 

m Azure Event Hubs 

= Azure Data Lake Store (Gen 1 only) 

m Azure App Service 

= Azure Container Registry (Public Preview) 


You can create service endpoints either using Azure Portal or using command-line tools 
such as PowerShell or Azure CLI. For example, let's assume the virtual network ExamRef-VNet 
and subnet Apps is already created. (See “Create and configure virtual networks, including 
peering” earlier in this chapter for detailed steps.) From the virtual network, click the Ser- 
vice Endpoints option on left under Settings, as shown in Figure 4-24. Then click +Add > 
Microsoft.Storage or the select the appropriate Service from the drop-down menu. Select 
Apps from the Subnets drop-down menu. Finally, click Add. 


Add service endpoints x 


£ ExamRef-VNet | Service endpoints 


Monitonng 
B News 

ai Metres 
E Diagnos 


# og 
FIGURE 4-24 Add service endpoints to subnet 
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You can create multiple service endpoints for the supported Azure services on a given subnet. 


Configure private endpoints 


A private endpoint establishes a private connection between any of the supported Azure services 
and your virtual network. For example, if you create a private endpoint for your storage account, 
then it provides a secure channel between your VNet and your storage account. The private 
endpoint gets a private IP address from your VNet address space. The connectivity for private 
endpoint takes place using private link. Once you create a private endpoint for a service, then a 
consent request is sent for approval by the service owner. Once it is approved, the private end- 
point can be used to establish connectivity to the defined service (such as a storage account). 


To configure private endpoint, let’s assume you have created ExamRef-VNet and 
ExamRef-VM. To create a private endpoint for a particular PaaS service (such as a web app), we 
need to first deploy the web app with a minimum of the PremiumV2 tier. Let's assume you have 
created an examref web app. To create a private endpoint, go to the Azure homepage, click 
+Create A Resource, search for a private endpoint, and then click Create. 


You need to select the Subscription, Resource Group, and Region for creating a private 
endpoint, as shown in Figure 4-25. You also need to specify the private endpoint Name. Then 
click Next: Resource. 
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FIGURE 4-25 Create a private endpoint—Basics blade 


Skill 4.1: Implement and manage virtual networking 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


241 


On the next screen, you need to select the resource details for the private endpoint 
Subscription, Resource Type, Resource, and Target Sub-Resource, as shown in Figure 4-26. 
Then click Next: Configuration > at the bottom. 


Home > New > Private Endpoint 

Create a private endpoint 
V Basics © Resource 
Private Link offers options to create private endpoints for different Azure resources, like your private link service, a SQL server, 
or an Azure storage account. Select which resource you would like to connect to using this private endpoint. Learn more 
Connection method © ©) Connect to an Azure resource in my directory. 

( D Connect to an Azure resource by resource ID or alias. 
Subscription * © Visual Studio Ultimate with MSDN Vv 
Resource type * © Microsoft.Web/sites v | 
Resource * © examref01 v | 
Target sub-resource * © sites v 
< Previous Next : Configuration > 


FIGURE 4-26 Create A Private Endpoint—Resource blade 


On the next screen, you need to specify the virtual network details along with the Subnet 
and Private DNS Zone integration options, as shown in Figure 4-27. Then click Review + 
Create at the bottom to create the private endpoint. 
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Home > Create a resource > Private Endpoint 


Create a private endpoint 
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To deploy the private endpoint, select a virtual network subnet. Learn more 
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Private DNS integration 


To connect privately with your private endpoint, you need a DNS record. We recommend that you integrate your private 
endpoint with a private DNS zone. You can also utilize your own DNS servers or create DNS records using the host files on 
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FIGURE 4-27 Create A Private Endpoint—Configuration blade 


Configure Azure DNS 


This section describes how Azure DNS is configured to host Internet-facing domains. We start 
with a summary of how the domain name system works because understanding DNS is a pre- 
requisite to understanding Azure DNS. 


How DNS Works 


To properly understand the various DNS services and features available in Azure, it is first 
necessary to understand how the domain name system works. In particular, it is important to 
understand the different roles played by recursive and authoritative DNS servers, and how a 
DNS query is routed to the correct DNS name servers using DNS delegation. 


First, it’s important to understand the distinction between a domain name, and a DNS zone. 
The Internet-facing domain name system is a single global name hierarchy. A domain name is 
just a name within that hierarchy. Owning a domain name gives you the legal right to control 
the DNS records within that name, and any sub-domains of that name. 
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You purchase a domain name from a domain name registrar. The registrar then lets you 
control which name servers receive the DNS queries for that domain, by letting you configure 
the NS records for the domain. 


A DNS zone is the representation of a domain name in an authoritative DNS server. It con- 
tains the collection of DNS records for a given domain name. The service hosting the DNS zone 
lets you manage the DNS records within the zone, and hosts the data on authoritative name 
servers, which answers DNS queries with DNS responses based on the configured DNS records. 


In Azure, you can purchase domain names using the App Service Domains service. DNS 
zone hosting is provided by Azure DNS. 


The DNS settings on the user's device point to a recursive DNS server, also sometimes 
known as a local DNS service (or LDNS), or simply as a DNS resolver. The recursive DNS service 
is typically hosted by your company (if you're at work) or by your ISP (if you're at home). There 
are also public recursive DNS services available, such as Google's 8.8.8.8 service. The recursive 
DNS service doesn't host any DNS records, but it allows your device to off-load most of the 
work associated with resolving DNS queries. 


To understand the role of recursive and authoritative DNS servers, consider Figure 4-28, 
which describes the DNS resolution process for a single DNS query, www.contoso.com. 
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FIGURE 4-28 The DNS Resolution Process 


This resolution process is described here: 


1. Your PC makes a DNS query to its locally configured recursive DNS server. This query is 
simply a packet sent over UDP port 53, although TCP can also be used (typically when 
responses are too big to fit in a UDP packet). 

2. Let's assume the recursive DNS server has just been switched on, so there is nothing 
in its cache. It passes the query to one of the root name servers (the addresses of the 
root name servers are pre-configured). The root name servers are authoritative name 
servers—they host the actual DNS records for the root zone. A zone is simply the data 
representing a node in the DNS hierarchy. 
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3. The root name servers don’t know anything about the contoso.com DNS zone. They do, 
however, know where you can find the com zone. So, they return a DNS record of type 
NS, which tells the recursive DNS server where to find the com zone. 


4. The recursive server tries again, this time calling the com name servers. Again, these are 
authoritative name servers, this time for the com zone. 


5. These name servers don't recognize www.contoso.com, but they do have NS records 
that define where the contoso.com DNS zone can be found. 


6. The recursive server tries again, this time calling the authoritative contoso.com name 
servers. 


7. These servers are authoritative for the contoso.com DNS zone. And there is a record 
on these servers matching the www record name. The server does recognize the www. 
contoso.com query name and returns the A record response that maps this name to 
an IP address. 


8. The recursive server then returns this result back to the client. 


The recursive DNS server can also follow a chain of CNAME records (which map one DNS 
name to another name). And the recursive DNS server also caches the responses it receives, so 
that it can respond more quickly next time. The duration of the cache is determined by the TTL 
(time-to-live) property of each DNS record. 


The domain name system is a distributed system, where one set of servers can refer queries 
to another set using NS records. The process we've just seen to map a query name to a result— 
perhaps via a long chain of authoritative DNS servers—is called “DNS name resolution.” 


The NS records tell clients on the Internet where to find the name servers for a given DNS 
zone. The NS records for a DNS zone are configured in the parent zone, and a copy of the 
records is also present in the child zone. Setting up these NS records is called delegating a DNS 
domain. 


A fully qualified domain name (FQDN) is a domain name containing all components all the 
way up to the root zone. Strictly speaking, a fully qualified name ends with a “.” (for example, 
www-dot-contoso-dot-com-DOT), which represents the root zone, although by convention, the 
trailing period is often omitted. 


Reverse DNS is the ability to map an IP address to a name (as opposed to name to IP 
address, which is what normal DNS provides). Some applications use reverse DNS as a weak 
form of authentication. For example, it’s commonly used in email spam-scoring algorithms. 


Reverse DNS lookups use a DNS hierarchy that is completely independent of the forward 
lookups. The reverse lookup for www.contoso.com does not sit in the contoso.com zone. 
Instead, it sits in a separate DNS zone hierarchy based on reversed IP addresses. For example, 
suppose www.contoso.com resolves to IP address 1.2.3.4. Typically, the reverse lookup for 
the IP address 1.2.3.4 will be a record named 4 in the DNS zone 3.2.1.in-addr.arpa, giving a 
FQDN of 4.3.2.1.in-addr.arpa (notice the reversed IP address.) 


Reverse DNS lookup zones are controlled by whomever owns the IP subnet. The reverse 
DNS lookup zone for an IP block you own can be hosted in Azure DNS. Public IP addresses 
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in Azure reside in Microsoft-owned IP blocks, which means the reverse DNS lookups use 
Microsoft-managed reverse DNS lookup zones. 


There's nothing in the domain name system to ensure the reverse lookup maps to the same 
name as was used in the forward lookup. That's achieved simply by the correct configuration in 


both forward and reverse lookup zones. 


DNS services in Azure 


There are several DNS-related services and features in Azure—an overview of each is given 


below. The first three items are Azure services, which you consume by creating service-specific 
resources that you will be billed for. The remaining three items are Azure features, which you 
configure using settings on other resource types, such as a virtual network, public IP address, 


or network interface. 


= Azure DNS. Allows you to host your DNS domains in Azure. It provides the ability to 


create and manage the DNS records for your domain and provides name servers, which 
answer DNS queries for your domain from other users on the Internet. Azure DNS also 
supports private DNS zones, which are used for intranet-based name resolution for VM to 
VM lookups, including support for some scenarios not supported by the Azure-provided 
DNS service, which we'll cover shortly. Private DNS zones are currently in preview. 


Azure Traffic Manager. An intelligent DNS service that uses DNS to implement 
global traffic management. Where Azure DNS always provides the same DNS response 
to any given DNS query, in Azure Traffic Manager the same query may result in one of 
several possible responses, depending on a number of factors which you control, such 
as where the end-user is located or which of your service endpoints is currently avail- 
able. This enables you to route traffic intelligently between Azure regions or between 
Azure deployments and on-premises deployments. Understanding Traffic Manager 
beyond the scope of the AZ-104 exam. 


App service domains. Allows purchasing of domain names, which can then be 
hosted in Azure DNS. This service is integrated with Azure App Service, but can be used 
for any domain registration, even if App Service is not being used. 


Azure-provided DNS. Sometimes called Internal DNS, it allows the VMs in your vir- 
tual network to find each other, using DNS queries based on the hostname of each VM. 
The DNS queries are internal (private) to the virtual network. 


Recursive DNS. A service provided by Azure for DNS name resolution from your 
Azure VMs or other Azure services. You can also configure your VMs to use your own 
DNS server instead. This is sometimes informally called bring your own DNS. This is 
common when joining your VMs to a domain controller. 

Reverse DNS. Provides the ability to configure the reverse DNS lookup for an Azure- 


assigned public IP address. (Reverse DNS lookup zones for IP blocks you own can be 
hosted in Azure DNS.) 
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Creating and delegating a DNS Zone to Azure DNS 


A DNS zone is a resource in Azure DNS. Creating a DNS zone resource allocates authorita- 
tive DNS name servers to host the DNS records for that zone. Azure DNS can then be used to 
manage those DNS records. DNS queries directed to those DNS name servers receive a DNS 
response based on the DNS records configured at that time. 


You do not have to own the corresponding domain name before creating a DNS zone in 
Azure DNS. You can create a DNS zone with any name, except for names on the public suffix 
list (see Attps://publicsuffix.org/). You can also create more than one DNS zone resource with 
the same DNS zone name, so long as they are in different resource groups. In this case, the 
DNS zones will be allocated to separate DNS name servers, so no conflict arises. 


You can test your DNS records by directing DNS queries directly to the assigned DNS name 
servers for your zone. For general use, however, your DNS zone should be delegated from the 
parent zone. This requires you to own the corresponding domain name. 


Before you can delegate your DNS zone to Azure DNS, you first need to know the names 
of the name servers assigned to your zone. These can be obtained using the Azure portal, 
PowerShell, or CLI after the DNS zone resource has been created. You can’t predict in advance 
which name server pool will be assigned to your DNS zone. You need to create the DNS zone, 
and then check. 


The assigned name servers will vary between zones, so if you're setting up multiple zones in 
Azure DNS you need to check the name servers on each one. Don't assume that the name serv- 
ers will be the same across all your zones. 


Each domain name registrar has their own DNS management tool allowing you to set the 
name server (NS) records for a domain. In the registrar's DNS management page, edit the NS 
records and replace the NS records with the ones Azure DNS assigned. 

When delegating a domain to Azure DNS, you must use the name server names provided 
by Azure DNS. You should always use all four name server names, regardless of the name 


of your domain. Domain delegation does not require the name server name to match your 
domain name. 


NOTE DELEGATING DNS ZONES TO AZURE DNS 


When delegating a domain to Azure DNS, do not use DNS glue records to point to the Azure 
DNS name server IP addresses directly. A glue record is a DNS server record that is not authori- 
tative for the zone and is used to avoid a condition of impossible dependencies for a DNS zone. 
These IP addresses might change in the future. Delegations using name server names in your 
own zone—sometimes called vanity name servers—are not currently supported in Azure DNS. 


Azure DNS treats child zones as entirely separate zones. Therefore, delegating a child zone 
follows the same process as delegating the parent zone: 


1. Create the child zone resource. 
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2. Identify the name servers for the child zone. These will be different to the name servers 
assigned to the parent zone. 


3. Create NS records in the parent zone to delegate the child zone. The name of the NS 
records should be the child zone name (excluding the parent zone name suffix), and the 
RDATA in the NS records should be the child zone name servers. 


NOTE DELEGATING CHILD DNS ZONES TO AZURE DNS 


When you delegate a child zone, any existing name servers in the parent zone that match the 
child zone name will become hidden. You'll still see them in the Azure portal, but they won't 
resolve from the name servers because the delegation to the child zone will take precedence. 
To avoid this issue, before delegating the child zone, you should check for any records that will 
be hidden and replicate them into the child zone. This applies with any DNS service, not just 
Azure DNS. 


Managing DNS records in Azure DNS 
Each record in the domain name system includes the following properties: 


m Name. The name of the DNS record is combined with the name of the DNS zone 
to form the fully qualified domain name (FQDN). For example, the record www in zone 
contoso.com corresponds to the FQDN www.contoso.com. 


m Type. The type of DNS record determines what data is associated with the record and 
what purpose it is used for. A list of record types supported by Azure DNS is provided in 
Table 4-5. 


m TTL. The TTL (or Time-to-Live) tells recursive DNS servers how long a DNS record 
should be cached. 


= RDATA. The data returned for each DNS record. The type of data returned depends 
on the DNS record type. For example, an A record will return an IPv4 address, whereas a 
CNAME record returns another domain name. 


The collection of records in a DNS zone with the same name and the same type is called 
a resource record set. (These collections are also referred to as “RRSets” and as “record sets” 
in Azure DNS). Records in Azure DNS are managed using record sets. Record sets are a child 
resource of the DNS zone and can contain up to 20 individual DNS records. The name, type, 
and TTL are configured on the record set, and the RDATA is configured on each DNS record 
within the record set. 


To create a DNS record set at the root (or apex) of a DNS zone, use the record set name @. 
For example, the record set named @ in the contoso.com zone will resolve against queries for 
contoso.com. You can also use an asterisk (*) in the record set name to create wildcard records 
(subject to DNS wildcard matching rules). 

Azure DNS supports all commonly used DNS record types. The full list of supported record 
types—together with a description of each—is provided in Table 4-5. 
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TABLE 4-5 DNS Record Types in Azure DNS 


DNS Record 
Type 


CNAME 


MX 


NS 


PTR 


SOA 


SRV 


TXT 


Remarks 


Used to map a name to an IPv4 address. 
Used to map a name to an IPv6 address. 


Used to specify which certificate authorities can issue certificates for a domain. Note that 
CAA records are not currently available in the Azure portal, so they must be configured using 
the Azure CLI or Azure PowerShell. 


Provides a mapping from one DNS name to another. The DNS standards do not allow CNAME 
records at the zone apex. In addition, you cannot create a CNAME record with the same name 
as a record of any other record type, and CNAME record sets only support a single DNS record 
rather than a list of records. These are DNS RFC constraints, not Azure DNS limitations. 


Used for mail server configuration. 


An NS record set at the zone apex containing the name servers for the DNS zone is required 
by the DNS standards. This is created for you when the DNS zone is created. It can be edited, 
for example to add additional records when co-hosting a DNS zone with more than one 
provider, but not deleted. 


You can create additional NS record sets to delegate child zones. 
Used for reverse DNS lookups in reverse lookup zones. 


An SOA record is required at the apex of every zone. This is created and deleted with the 
DNS zone resource. 


SRV records are used for service discovery for a wide range of services, from Kerberos to 
Minecraft to the Session Initiation Protocol used for Internet telephony. 


Note that the Service and Protocol parameters are specified as part of the record set 
name, such as _service._protocol.media.contoso.com. Some DNS services prompt you to 
enter these values separately and then merge them to form the record set name. With Azure 
DNS, you need to specify them as part of the record set name, but they are not entered 
separately. 


Used for a wide range of applications, including email Sender Policy Framework (SPF). 


NOTE SPF RECORDS 


Sender Policy Framework (SPF) records are used to identify legitimate mail servers for a 


domain and help prevent spam. The SPF record type was deprecated by RFC7208, which states 
that the TXT record type should be used for SPF records. 


Alias records 


Azure DNS offers integration with other services hosted in Azure via Alias records. 


With conventional DNS records, you explicitly specify the target, such as the IP address of 
an A record. If the IP address changes, you need to update the DNS record accordingly. 
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Alias records allow you to define the target of the DNS record implicitly by referencing 
another Azure resource. The value of the DNS record is populated automatically based on the 
resource it references and is updated automatically if that resource changes. 

Alias records can reference three different resource types: 

= AnAorAAAA. These records can reference a public IP address, of type IPv4 or IPv6, 
respectively. 

= A, AAAA, or CNAME. These records can reference a Traffic Manager profile. This 
exposes the dynamic, traffic- managed name resolution of the Traffic Manager directly 
within a record in your DNS domain. Prior to this feature, you had to create a CNAME 
record from your domain to a record in the trafficmanager.net domain provided by 
Azure Traffic Manager. 

= An A, AAAA or CNAME. These records can also reference another record in the same 
DNS zone. This lets you create synchronized records with ease. 


Alias records are a very useful way to address a number of scenarios. 


m First, Alias records allow you to avoid orphaned DNS records. A common problem with 
DNS systems is that records are not cleaned up when the services they reference are 
deleted. The DNS record is left dangling. With Alias records, the DNS record no longer 
resolves once the underlying service is deleted. 

m Second, as we have already discussed, by updating automatically when underlying 
resources change, Alias records reduce your management overhead and help you avoid 
accidental application downtime. 


m Third, because Alias records enable you to avoid using a CNAME record when using 
a vanity domain name with Azure Traffic Manager, they enable you to implement a 
traffic-managed record at the apex of your domain. 


Creating DNS zones and DNS records using the Azure portal 


To create a DNS zone, click +Create A Resource > Networking > DNS Zone to open the 
Create DNS Zone blade. Fill in the blade by specifying the DNS domain Name as the DNS 
zone resource name, and selecting your Resource Group, as shown in Figure 4-29. 


NOTE DNS ZONES AND AZURE REGION 


When creating a DNS zone, the location field only specifies the resource group location. It 
does not apply to the DNS zone resource itself, which is global rather than regional. 


Once the DNS zone has been created, open the DNS zone blade. The Azure DNS name 
servers assigned to the zone are listed in the essentials panel, as highlighted in Figure 4-30. 
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Home > New > DNS zone 


Create DNS zone 


Basics 


A DNS zone is used to host the DNS records for a particular domain, For example, the domain '‘contoso.com’ may contain a 
number of DNS records such as 'mail.contoso.com’ (for a mail server) and 'www.contoso.com' (for a web site). Azure DNS 
allows you to host your DNS zone and manage your DNS records, and provides name servers that will respond to DNS queries 
from end users with the DNS records that you create. Learn more 


Project details 


Subscription * | Visual Studio Ultimate with MSDN Vv | 
Resource group * ExamRef-RG Vv 
Create new 
Instance details 
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Resource group location © Canada Central 
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FIGURE 4-30 The DNS zone blade, highlighting the Azure DNS name servers assigned to this zone 


To set up DNS delegation for the DNS zone, these name servers must be listed in the cor- 
responding NS records in the parent zone. If the domain name was purchased using the Azure 
App Service Domains service, this will be done automatically. Otherwise, this must be config- 
ured at the DNS registrar where the domain name was purchased. 


To create a DNS record in a new record set, click +Record Set to open the Add Record Set 
blade. If there is an existing record with the same name and type as the record you want to cre- 
ate, you should instead click the existing record set and add the new record there. To create a 
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pair of A records with name www (giving the fully qualified domain name www.examref.com), fill 
in the blade with the following values, as shown in Figure 4-31. 


= Name. www 

m Type. A 

= Alias Record Set. No 

= TTL. 1 hour (or choose your own value) 

= IP Addresses. Enter A record IP addresses, one for each DNS record in the record set. 


Suppose now you want to create a DNS record at the zone apex (so the fully qualified 
domain name is simply the DNS zone name examref.com), pointing to a dynamically allocated 
public IP address. Click +Add Record Set again and complete the Add Record Set blade with 
the following settings, as shown in Figure 4-32. 


= Name. @ (This isa DNS convention for records at the zone apex.) 

m Type. A. 

= Alias Record Set. Yes. 

= Choose Subscription. Choose the subscription containing the public IP address. 
= Azure Resource. Choose the public IP address resource. 


m TTL. 1 hour (or choose your own value). 


Add record set x 
examref.com 
Name 

.examref.com 
Type 
A v 


Alias record set © 


C) Yes @) No 

TTL * TTL unit 
1 Hours AR 
IP address 
23.34.45.56 


123.134.145.156 


0.0.0.0 


FIGURE 4-31 The Add Record Set blade 
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Add record set x 
examref.com 
Name 

@ v 

.examref.com 

Type 
[A x] 
Alias record set CG 
@) Yes C) no 
Alias type 
(@) Azure resource (_) Zone record set 
Choose a subscription * 
| Visual Studio Ultimate with MSDN Vv | 
Azure resource * 

ExamRef-ip Vv 
TIL TTL unit 
| 1 | [ Hours v | 


FIGURE 4-32 The Add Record Set blade for an Alias record set 


Configure custom DNS settings 


When a virtual machine connects to a virtual network, it receives its IP address via DHCP. As 
part of that DHCP exchange, DNS settings are also configured in the VM. By default, VMs are 
configured to use Azure's recursive DNS servers. These provide name resolution for Internet- 
hosted domains, plus private VM-to-VM name resolution within a virtual network. 


The hostname of the VM is used to create a DNS record mapping to the private IP address 
of the VM. You specify the hostname—which is simply the VM name—when you create the vir- 
tual machine. Azure specifies the DNS suffix, using a value that is unique to the virtual network. 
These suffixes end with internal.cloudapp.net. The hostname and DNS suffix together form the 
unique fully qualified domain name. 


Name resolution for these DNS records is private—they can only be resolved from within 
the virtual network. The DNS suffix is configured as a lookup suffix within each VM, so names 
can be resolved between VMs within the virtual network using the hostname only. 


This built-in DNS service uses the IP address: 168.63.129.16. This is a special static IP address 
that is reserved by the platform for this purpose. This IP provides both the authoritative DNS 
service for Azure-provided DNS as well as Azure's recursive DNS service, which is used to 
resolve Internet DNS names from Azure VMs. This IP is used for other things as well, such as 
health problems from Azure Load Balancer, heartbeat messages for PaaS roles, and so on. 
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Bring your own DNS 


Alternatively, you can configure your own DNS settings, which will be configured during the 
DHCP exchange on the VMs instead. This enables you to specify your own DNS servers, either 
in Azure or running on-premises. With your own DNS servers, you can support any DNS 
scenario, including scenarios not supported by the Azure-provided service. Example scenarios 
requiring you to use your own DNS servers include name resolution between VMs in different 
virtual networks, name resolution between on-premises resources and Azure virtual machines, 
reverse DNS lookup of internal IP addresses, and name resolution for non-Internet-facing 
domains, such as domains associated with Active Directory. 


You should not specify your own DNS settings within the VM itself because the platform is 
unaware of the settings you have chosen. Instead, Azure provides configuration options within 
the virtual network settings. These DNS server settings are at the virtual network level and 
apply to all VMs in the virtual network. 


You can also specify VM-specific DNS server settings within each network interface. This 
takes precedence over settings at the virtual network level. Where multiple VMs are deployed 
in an availability set, setting DNS servers at the network interface, all VMs in the availability set 
are updated. The DNS servers applied are the union of the network interface-level DNS servers 
from across the availability set. 


NOTE DNS NAME SERVER SETTINGS 


Custom DNS settings can be configured at the VNet level, and the network interface level, but 
not at the subnet level. To use specific settings for an individual subnet, you must configure 
those settings on each network interface in the subnet. 


You can use these DNS settings to direct your VMs’ DNS queries to any DNS servers you 
choose. They can point to IP addresses of on-premises servers, such as an Active Directory 
Domain Controller or network appliance, a DNS service running in an Azure Virtual Machine, 
or anywhere else on the Internet. 


If you use your own DNS servers, those servers will need to offer a recursive DNS service, 
otherwise name resolution for Internet domains from your virtual machines will break. If you 


point the DNS settings directly at an Internet-based recursive DNS service, such as Google 
8.8.8.8, then you will not be able to perform VM-to-VM lookups. 


NOTE RESTART VIRTUAL MACHINES WHEN CHANGING DNS SETTINGS 


If you make changes to the DNS settings at the virtual network level, any affected virtual 
machines must restart to pick up the new settings. If you make changes to DNS settings and 
the network interface level, the affected VM (or VMs across the availability set, if used) will 
restart automatically to pick up the new settings. 
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One challenge when using your own DNS servers is that you will need to register each VM in 
your DNS service. To do this, you can configure the DNS service to accept Dynamic DNS que- 
ries, which the VM will send when it boots. This allows the VMs to register with the DNS server 
automatically. A problem with this approach is that the DNS suffix in the Dynamic DNS query 
must match the DNS zone name configured on the DNS server, and Azure does not support 
configuring the DNS suffix via the Azure platform settings. As a workaround, you can configure 
the correct DNS suffix within each VM yourself, using a start-up script. 


Configure custom DNS settings using the Azure portal 


To configure the DNS servers on a VNet, open the virtual network blade, and then click DNS Serv- 
ers under Settings, as seen in Figure 4-33. You can then enter the DNS servers you want this VM to 
use. After saving your changes, you need to restart the VMs in the VNet to pick up the changes. 


The steps to configure the DNS servers on an individual VM are similar to previous step. Open 
the blade for the VM's network interface, and then click DNS Servers under Settings. You can 
then enter the DNS servers you want this VM to use. Note that VMs in an availability set will adopt 
the union of DNS servers from network interfaces across the availability set. After saving your 
changes, your VM (or VMs in the availability set) will automatically restart to pick up the changes. 


Home 


te VNett | DNS servers 


| earch (Ctri+ < [E] Save X Discard 

Overview 
fl Activity log Ay Virtual machines within this virtual network must be restarted to utilize the updated DNS server settings 
PQ Access control (IAM 
4 Tags DNS servers ( 

Default (Azure-provided) 

@ Diagnose and solve problems ©) Custom 
Settings 10.0,0.25 

Address space 10.0.0.125 


Ø Connected devices Add DNS serve: 
Subnets 


DDoS protection 


Security 


9 
@ Firewall 
co] 
g 


DNS servers 


È Peerings 


FIGURE 4-33 Custom DNS servers for a virtual network configured using Azure portal 


Configure private DNS zones 


In addition to supporting Internet-facing DNS domains, Azure DNS also supports private DNS 
domains. This provides an alternative approach to name resolution within and between virtual 
networks. 
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By using private DNS zones, you can use your own custom domain names—including the 
DNS suffix, rather than the Azure-provided DNS suffix—without the overhead or complexity of 
running your own DNS servers. 


The service supports automatic registration of VMs into the private zone, but only from a 
single virtual network, called the registration VNet. This must be registered with the DNS zone 
before any VMs are created. 


If you want to resolve VM names from multiple virtual networks, the VMs in any other 
networks must be registered with the service manually (or via a custom automation). Name 
resolution between VNets is independent of connectivity between VNets, so peering your 
virtual networks or setting up a VNet-to-VNet connection is not required. 


When name resolution is supported by virtual networks, these are called resolution VNets. 
The zone name is not registered with the VMs as a DNS search suffix, so you will need to regis- 
ter it yourself or use fully qualified domain names in your DNS queries. 


Create private DNS zones using Azure portal 


To create a private DNS zone, click +Create A Resource > Networking > Private DNS Zone 
to open the Create Private DNS Zone blade. Fill in the settings by specifying the DNS domain 
Name as the DNS zone resource name and selecting your Resource Group, as shown in 
Figure 4-34. 


Home > New Private DNS zone 


Create Private DNS zone 


Basics Tags Review + create 


A Private DNS zone provides name resolution services within virtual networks, A Private DNS zone is accessible only from the 
virtual networks that it is linked to and can't be accessed over internet. For example you can create a Private DNS zone named 
contoso.com and then create DNS records like www.contoso.com in this zone. You can then link the zone to a one or more 
virtual networks, Learn more 


Project details 


Select the subscription to manage deployed resources and costs, Use resource groups like folders to organize and manage all 
your resources 


Subscription * Visual Studio Ultimate with MSDN v | 
Resource group * ExamRef-RG Vv | 
Create new 


Instance details 


Name * © privateexamref.com Y 


o You can link virtual networks to this Private DNS zone after zone has been created 


FIGURE 4-34 Creating a private DNS zone using the Azure portal 


IAPTER4 Configure and manage virtual networking 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


With private DNS zone, you can create virtual network links by choosing Virtual Network 
Links, and then clicking + Add, as shown in Figure 4-35. 


.» privateexamref.com | Virtual network links 


Uni Marne Unk stares Virtua nerivork Asto-Regntration 


FIGURE 4-35 Virtual network links for a private DNS zone 


You only need to supply the Link Name, Subscription, and Virtual Network Name, as 
shown in Figure 4-36. You can also select the Enable Auto Registration checkbox, which will 
automate the creation of DNS records in the Private DNS zone for the virtual machines which 
are connected to the virtual network. 


Home > privateexamref.com | Virtual network links 


Add virtual network link 


privateexamref.com 


Link name * 
ExamRef-Link p 


Virtual network details 


(i] Only virtual networks with Resource Manager deployment model are supported for linking with Private DNS zones. 
Virtual networks with Classic deployment model are not supported. 


ii | know the resource ID of virtual network © 


Subscription * © 


| Visual Studio Ultimate with MSDN Vv | 


Virtual network * 
ExamRef-VNet (ExamRef-RG) v 


Configuration 


E} Enable auto registration © 


FIGURE 4-36 Add virtual network link for a private DNS zone 


Once created, a Virtual Network Link appears on the right screen. Create private DNS 
zones using Azure PowerShell or the Azure CLI. 
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Skill 4.2: Secure access to virtual networks 


Network security groups (NSGs) allow you to control which network flows are permitted into 
and out of your virtual networks and virtual machines. Each NSG contains lists of inbound and 
outbound rules, which give you fine-grained control over exactly which network flows are 
allowed or denied. 


This section covers how to: 

m Create security rules 

m Associate a network security group (NSG) to a subnet or network interface 
m Evaluate effective security rules 

m Implement Azure Firewall 


m Implement Azure Bastion Service 


Create security rules 


A network security group (NSG) is a standalone Azure resource, which acts as networking filter. 
Each NSG contains a list of security rules. These are used to allow or deny inbound or outbound 
network traffic, depending on the properties of that traffic such as protocol, IP address, and 
port. To apply the NSG, it is associated with either a subnet or with a specific VM's network 
interface. 


NSG rules 


NSG rules define which traffic flows are allowed or denied by the NSG. Table 4-6 describes the 
properties of an NSG rule. 


TABLE 4-6 NSG properties 


Property Description Constraints Considerations 

Name The name of the Must be unique within the region | You can have several rules within 
rule. Must end with a letter, number, or | 2" NSG, so make sure you follow 

underscore: a naming convention that allows 
you to identify the purpose of 
Cannot exceed 80 characters. each rule: 

Protocol The network TCP, UDP, or *. Using * as a protocol includes 
protocol the rule ICMP as well as TCP and UDP. In 
applies to. the Azure portal, select ‘Any’ 

instead of ‘*’. 
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Property 


Source port 
range(s) 


Destination 


port range 


Source 
address 
prefix(es) 


Destina- 
tion address 
prefix(es) 


Direction 


Priority 


Action 


Description 


Source port 
range(s) to match 
for the rule. 


Destination port 
range(s) to match 
for the rule. 


Source address 
prefix(es) or service 
tag(s) to match for 
the rule. 


Destination 
address prefix(es) 
or service tag(s) to 
match for the rule. 


Direction of traffic 
to match for the 
rule. 


Rules are checked 
in the order of 
priority. Oncea 
matching rule is 
found, no more 
rules are tested. 


Type of action to 
apply if the rule 
matches. 


NOTE NSG RULE PRIORITY 


Constraints 


Single port number from 1 to 
65535; a port range (example: 
1-65535); a list of port or port 
ranges; or * (for all ports). 


Single port number from 1 
to 65535, port range (such as 
1-65535), alist of port or port 
ranges, or * (for all ports). 


Single IP address (such as 
10.10.10.10), IP subnet (such 

as 192.168.1.0/24), aservice 
tag, a list of the above, or * (for all 
addresses). 


Single IP address (such as 
10.10.10.10); IP subnet (such 

as 192.168.1.0/24); aservice 
tag; a list of the above; or * (for all 
addresses). 


Inbound or outbound. 


Unique Number between 100 and 
4096. Uniqueness is only within 
this NSG. 


Allow or Deny. 


Considerations 


The source ports could be ephem- 
eral, so unless your client program 
is using a specific port, use * in 
most cases. 

Try to reduce the number of rules 
by specifying multiple ports or 
port ranges ina single rule. 


Try to reduce the number of rules 
by specifying multiple ports or 
port ranges ina single rule. 


Consider using ranges, service 
tags, and lists to reduce the num- 
ber of rules. 


The IP addresses of Azure VMs 
can also be specified implicitly 
using application security groups. 


Consider using ranges, default 
tags, and lists to reduce the num- 
ber of rules. 


The IP addresses of Azure VMs 
can also be specified implicitly 
using application security groups. 


Inbound and outbound rules are 
processed separately, based on 
traffic direction. 


Consider creating rules and jump- 
ing priorities by 100 for each rule 
to leave space for new rules you 
might create in the future. 


Keep in mind that if an allow rule 
is not found for a packet, the 
packet is dropped. 


NSG Rules are enforced based on their priority. Priority values start from 100 and go to 4096 
(and from 65001 to 65003 for default rules). Rules will be read and enforced starting with 100 and 
are followed by 101, 102, and so on. When a rule is found that matches the traffic under consider- 


ation, the rule is applied, and all further processing stops—subsequent rules are disregarded. 


For example, suppose you had an inbound rule that allowed TCP traffic on any port with a pri- 
ority of 250 and another that denied TCP traffic on Port 80 with a priority of 125. An inbound 
TCP connection on port 80 would be denied, since the deny rule has a lower priority value and 


would be applied before the allow rule is considered. 
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Service Tags 


Many Azure services are accessed via Internet-facing endpoints. These endpoints can change 
over time, for example as new Azure regions are built. This makes it difficult to use NSG rules 
to control access to those services—it's hard to identify the list of IP ranges to use, and even 
harder to keep the list up-to-date. 


To address this problem, Azure provides service tags. These are platform-defined shortcuts 
that map to the IP ranges of various Azure services. The IP ranges associated with each service 
tag are updated automatically whenever the IP addresses used by the service change. 


Service tags are used in NSG rules as a quick and reliable way of creating rules that control 
traffic to each service. Typically, they are used in outbound rules to control which other Azure 
services the VMs in a VNet can or cannot access. 


Note that service tags control access to the service, but not to a specific resource within that 
service. For example, a service tag might be used in an NSG rule allowing a VM to connect to 
Azure storage. This rule cannot control which account in Azure storage the VM will attempt to use. 


Service tags are provided for more than 60 Azure services, and the list is growing. Here are 
some of the most commonly used service tags. 


m VirtualNetwork. Controls access to the virtual network address space where the NSG 
is assigned. It refers to the entire virtual network (not just the subnet), plus all connected 
virtual networks and any on-premises address space connected via Site-to-Site VPN or 
ExpressRoute (which we discuss in the next Skill section of this course). Note that the 
network address space of peered virtual networks is only included if the Allow Virtual 
Network Access property is set to Enabled. 


m Internet. Denotes the public Internet address space. This includes the Internet-facing 
Azure IP address ranges that are used for public IP addresses and Azure platform services. 


= AzureCloud. Denotes the Azure data center public IP space. This service tag can be 
scoped to a specific Azure region, such as by specifying AzureCloud.Eastus. 


= AzureLoadBalancer. Denotes the IPs where Azure Load Balancer health probes will 
originate. Traffic from these addresses should be allowed for any load-balanced VMs. 
Note that this service tag cannot be used to control traffic coming through the Load 
Balancer from elsewhere. This traffic can be filtered using the originating source IP, 
which is not modified as it passes through the Azure Load Balancer 

= AzureTrafficManager. Performs a similar role for Azure Traffic Manager. It is used to 
allow traffic from the source IP addresses of Traffic Manager health probes. 

m= Storage. Represents the IP addresses used by the Azure Storage service. As with the 
Azure Cloud Service Tag, the Storage service tag can be region scoped. For example, 
you can specify Storage .westUS to only allow access to Storage accounts in the West 
US region. 

m Sql. Represents the IP addresses used by the Azure Database for MySQL, Azure Data- 
base for PostgreSQL, and Azure Synapse Analytics. This service tag can also be scoped 
to a specific region. 
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Default rules 


All NSGs have a set of default rules. You cannot add to, edit, or delete these default rules. How- 
ever, since they have the lowest possible priority, they can be overridden by other rules which 
you create. 


The default rules allow and disallow traffic as follows: 


= Virtual network. Traffic originating and ending in a virtual network is allowed both in 
inbound and outbound directions. 


m Internet. Outbound traffic is allowed, but inbound traffic is blocked. 


m Load balancer. Allows the Azure Load Balancer to probe the health of your VMs and 
role instances. If you are not using a load balanced set, you can override this rule. 


NOTE LOAD BALANCER TRAFFIC 


The Load Balancer default rule uses the AzureLoadBalancer service tag. This applies only to Azure 
Load Balancer health probes, which originate at the Load Balancer. It does not apply to traffic 
received through the Load Balancer, which retain their original source IP addresses and ports. 


Table 4-7 shows the default inbound rules for each NSG. 


TABLE 4-7 Default Inbound Rules 


Name Priority | Source Source | Destination Destination | Protocol | Access 
Port Port 

AllowVNetInBound | 65000 | VirtualNetwork | Any VirtualNetwork | Any Any Allow 

AllowAzureLoad 65001 AzureLoad Any Any Any Any Allow 

BalancerInBound Balancer 

DenyAlllnBound 65500 Any Any Any Any Any Deny 


Table 4-8 shows the default outbound rules for each NSG. 


TABLE 4-8 Default Outbound Rules 


Name Priority | Source Source | Destination Destination | Protocol | Access 
Port Port 

AllowVNet 65000 | VirtualNetwork | Any VirtualNetwork | Any Any Allow 

OutBound 

Allowlnternet 65001 Any Any Internet Any Any Allow 

OutBound 

DenyAllOutBound | 65500 Any Any Any Any Any Deny 
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Application security groups 


As you have seen, NSG rules are like traditional firewall rules and are defined using source and 
destination IP blocks. They enable you to segment your network traffic into application tiers, 
which are segmented into separate subnets. 


This creates some management challenges: 


m The IP blocks for each subnet must be carefully planned in advance. To allow for addi- 
tional servers to be added in future, each subnet must be bigger than you really need, 
which results in inefficient use of the IP space. 


m If you make a subnet too small and run out of space, it can be time-consuming to recon- 
figure the network to free up additional space, especially without application downtime. 


m Each subnet requires a separate NSG, making it difficult to get an overall picture of the 
permitted and blocked traffic at an application level. 


Application security groups (ASGs) address these challenges by offering an alternative 
approach to network segmentation. They allow you to achieve the same goal of segment- 
ing your application into separate tiers, and they strictly control the permitted network flows 
between tiers. However, ASGs do not require that you associate each tier with a separate sub- 
net, so all the challenges associated with planning and managing subnets fall away. With ASGs, 
you explicitly define which application tier each VM belongs to, rather than implicitly defining 
which application tier each VM belongs to, based on the subnet in which the VM has been 
placed. All VMs can be placed in a single subnet, and a single NSG is used to define all permit- 
ted network flows between application tiers. Because a single subnet is used, the IP space can 
be managed much more flexibly, and because there is a single NSG with rules referring to 
named application tiers, the network rules are easier to understand and can all be managed 
in one place. 

Figure 4-37 shows a standard three-tier application architecture with web servers, appli- 
cation servers, and database servers. These servers have been grouped by associating each 
server with the appropriate application security group. All servers are placed in the same 
subnet without having to think about how the network space is subdivided. A single network 
security group contains rules defining the permitted traffic flows between application tiers. 


WebServers AppServers asd 
Se) © 


Name Source Destination Protocol/Port 
w w a a Allow InternetfoWeb Internet WebServers TCP 80, 443 
&] c] =) Allow WebToApp WebServers AppServers TCP 443 
Dataran Saré Allow AppToDatabase AppServers DatabaseServers TCP 1433 
è Allow LBProbes AzureLoadBalancer VirtualNetwork Any 
; <> Deny DenyAll Any Any Any 


Peete rereeeseeeeeeeeeeeeeeeseseseceeeseeeetesES 


FIGURE 4-37 Using application security groups to simplify subnet and NSG management 
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Application security groups enable you to configure network security as a natural extension 
of an application's structure, which allows you to group virtual machines and define network 
security policies based on those groups. You can reuse your security policy at scale without the 
manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP 
addresses and multiple rule sets, which allows you to focus on your business logic. 


Configuring application security groups is straightforward: 


1. First, you create an application security group resource for each server group. This 
resource has no properties, other than its name, resource group, and location. 

2. Next, you associate the network interface from each VM with the appropriate applica- 
tion security group. This defines which group (or groups) each VM belongs to. 

3. Finally, you define your network security group rules using application security group 
names instead of explicit IP ranges. This is similar to how rules are configured using 
named service tags. 


Create an NSG using the Azure portal 
To create an NSG using Azure portal, follow these steps: 
1. First, click Create A Resource > Networking > Network Security Group. 
2. Once the Create Network Security Group blade loads, you will need to provide a 
name, the subscription where your resources are located, the resource group for the 
NSG, and the location. (The location must be the same as the resources you want to 
apply the NSG.) In Figure 4-38, the NSG will be created to allow HTTP traffic into the 
Apps subnet and be named AppsNSG. 


Home New 


Create network security group 


Basics Tags Review + create 


Project details 


Subscription * Visual Studio Ultimate with MSDN v 
Resource group * ExamRef-RG v 
Create new 


Instance details 


Name * AppsNSG vY 


Region * (Canada) Canada Central Vv 


FIGURE 4-38 Creating a network security group using the Azure portal 
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3. After the NSG has been created, open the NSG Overview blade, as shown in Figure 4-39. 
Here, you see that the NSG has been created, but there are no inbound or outbound 
security rules beyond the default rules. 


@ AppsNsG + 


FIGURE 4-39 The NSG Overview blade, showing the inbound and outbound security rules 


4. The next step is to create the inbound rule for HTTP and HTTPS traffic. In the Settings 
area, click Inbound Security Rules, and then click +Add to open the Add Inbound 
Security Rule panel. Notice how the panel has both Basic and Advanced modes, 
depending on the level of control required. 


5. Toallow HTTP/HTTPS traffic on Port 80 and 443, fill in the settings, as shown here and in 
Figure 4-40: 
m Source. Any 
= Source Port Ranges. * 
= Destination. VirtualNetwork 
= Destination Port Ranges. 80,443 
m Protocol. TCP 
= Action. Allow 
= Priority. 100 
= Name. Allow_HTTP_HTTPS 
= Description. Allow HTTP and HTTPS inbound traffic on ports 80 and 443 
6. Once all the settings have been filled in, click the Add button to create the NSG rule. 


NOTE APPLYING NSGs TO VIRTUAL NETWORKS 


The destination IP ranges refer to the VNet, which allows the NSG to be applied to any subnet 
in any VNet and avoids coupling the NSG to a specific IP range. Traffic will only be permitted 
to those subnets where the NSG is applied. 


Configure and manage virtual networking 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


e Add inbound security rule x 


AppsNSG 
Ø Basic 
Source * © 
| Any v 


Source port ranges * © 


Destination * © 
VirtualNetwork Vv 


Destination port ranges * © 


80,443 v 


Protocol * 
( Any UDP ICMP 
Action * 
(Crion ee 
Priority * 
| 100 
Name * 
Allow_HTTP_HTTPS v 
Description 
Allow HTTP and HTTPS inbound traffic on ports 80 and 443 v 


FIGURE 4-40 Adding an Inbound Rule to allow HTTP traffic 


7. Once the inbound rule has been saved, it will appear in the Azure portal. Review your 
rule to ensure it has been created correctly. 


Associate NSG to a subnet or network interface 


NSGs are used to define the rules of how traffic is filtered for your laaS deployments in Azure. 
We have seen how to create NSG resources and define the NSG rules. However, these NSGs, by 
themselves, are not effective until they are associated with a resource in Azure. 


NSGs can be associated with network interfaces (NICs), which are associated to the VMs, or 
they can be associated with a subnet. Each NIC or subnet can only be associated with a single 
NSG. However, a single NSG can be associated with multiple NICs and/or subnets. 


When associating an NSG with a NIC, it applies to all IP configurations in that NIC. All inbound 
and outbound traffic to and from the NIC must be allowed by the NSG. It is possible to have a 
multi-NIC VM, and you can associate the same or different NSG to each Network Interface. 


Alternatively, NSGs can be associated with a subnet; in that case, they apply to all traffic to 
and from resources in that subnet. This approach is useful when applying the same rule across 
multiple VMs. 
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NOTE HOWNSGs ARE APPLIED 


Microsoft does not recommend deploying NSGs to subnets and NICs within the same subnet. 
However, although Microsoft does not recommend it, this configuration is supported, and it’s 
important to understand how NSGs are applied when deployed in this way. 


For inbound traffic, first the NSG at the subnet is applied, followed by the NSG at the NIC. 
Traffic only flows if both NSGs allow the traffic to pass.For outbound traffic, the sequence is 
reversed. First, the NSG at the NIC is applied, followed by the NSG at the subnet. Again, traffic 
only flows if both NSGs allow the traffic to pass. 


In all cases, rules within each NSG are applied in priority order, with the first matching rule 
applicable first. 


Associating an NSG with a subnet using the Azure portal 


We have seen how to create an NSG and how to add an inbound rule for HTTP and HTTPS traf- 
fic. Yet, unless the NSG has been associated with subnets or NICs, that rule is not in effect. 


The next task will be to associate a rule with the Apps subnet. You can use either the NSG 
blade or the virtual network subnet blade for this task. For this example, we'll use the former. 


In the NSG blade of the Azure portal, click the Subnets link to show the list of subnets cur- 
rently associated with the NSG, which should be empty at this stage. Click +Associate to open 
the Associate Subnet blade. Azure portal will ask for two configurations: the virtual network, 
and the subnet. Note that you can only select virtual networks in the same Azure region as the 
NSG. In Figure 4-41, ExamRef-VNet has been selected from the Virtual Network drop-down 
menu, and Apps has been selected from the Subnet drop-down menu. 


Associate subnet x 


AppsNSG 


Virtual network © 


ExamRef-VNet Vv 


Subnet © 


Apps Vv 


FIGURE 4-41 The ExamRef-VNet virtual network and Apps subnet have been selected 


After being saved, the rules of the NSG are now being enforced for all network interfaces 
that are associated with this subnet. This will allow inbound TCP traffic on ports 80 and 443 
for all VMs that are connected to this subnet. Of course, in order for it to respond, you need to 
have a webserver VM configured and listening on ports 80 or 443. 
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Evaluate effective security rules 

When troubleshooting networking issues, it can be useful to get a deeper insight into exactly 
how NSGs are being applied. When NSG rules are defined using service tags and application 
security groups, instead of explicit IP addresses or prefixes, it sometimes isn’t clear whether a 
particular flow matches a particular rule. 

The Effective Security Rules view is designed to provide this insight. It allows you to drill 
into each NSG rule and see the exact list of source and destination IP prefixes that have been 
applied, regardless of how the NSG rule was defined. 

To access the Effective Security Rules view, your virtual machine must be running because 
the data is taken directly from the configuration of the running VM. 


View effective security rules using the Azure portal 

Using the Azure portal, open the Virtual Machine blade, and then click Networking. This will 
show the networking settings, including the NSG rules and a convenient Add Inbound Port 
Rule button. At the top of this blade, click Effective Security Rules, as shown in Figure 4-42, 
to open the Effective Security Rules blade. 


a ExamRef | Networking 


Prieta OBBI Accelerates rat Ceased 


FIGURE 4-42 Azure Virtual Machine Networking blade 


The Effective Security Rules blade (see Figure 4-43) looks very similar to the Networking 
blade shown in Figure 4-42. It shows the name of the network interface and associated NSGs, 
along with a list of NSG rules. 

The difference becomes clear when you click one of the NSG rules, which opens an 
additional pane that shows the exact source and destination IP address prefixes used by that 
rule. For example, in Figure 4-44, you can see the exact list of 122 IP address prefixes used for 
outbound Internet traffic. 

Having access to the exact list of address prefixes for each NSG rule allows you to investi- 
gate networking issues without fear of any ambiguity over how NSG rules are defined. 
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FIGURE 4-43 Azure virtual machine Effective Security Rules 
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FIGURE 4-44 Effective Security Rules showing Internet address prefixes 


Implement Azure Firewall 


Azure Firewall is a managed service that provides out-of-the-box network security for Azure 
resources. Because this is a managed service, its added advantages are that it offers high avail- 
ability and scalability. In a typical enterprise environment, outbound network access restric- 
tions are mandatory because the provide direct access to external web world. Azure Firewall 
provides an ability to limit the outbound IP addresses and ports that are allowed to com- 
municate within an Azure subnet. It also provides additional benefits such as outbound SNAT 
support, Inbound DNAT support, and Azure Monitor logging. 
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Azure Firewall allows us to create and configure application and network rules. Application 
rules are created with the list of fully qualified names that are allowed to be accessed from a 
subnet. Network rules are a combination of source and destination IP addresses along with 
their ports and protocols. The network traffic solely depends on the firewall rules applied when 
the traffic is routed through the firewall. 


Deploy and configure Azure Firewall using the Azure portal. Most of the enterprise deploy- 
ments consider a hub-and-spoke model as a standard for Azure Firewall implementation 
where an Azure Firewall is hosted on its own VNet and the other resources are placed in 
peered VNets in the same region with one or more subnets. However, in small-scale deploy- 
ments, Azure Firewall can be hosted in its dedicated subnet within a VNet. 


Create required VNet and subnets 


In the following example, it is assumed that you've already created the Exam-Ref-VNet, which 
has three subnets named AzureFi rewal1Subnet, WorkloadSubnet, and JumphostSubnet, as shown 
in Figure 4-45. (See Skill 4.1, “Implement and manage virtual networking,” for detailed instruc- 
tions for how to create a virtual network and the relevant subnets.) 


Home 


<. ExamRef-VNet | Subnets 


Virtual network 


D Search (Ctri+ | « + subnet -+ Gatewaysubnet Č) Refresh 


4> Overview 


Search subnets 


E Activity log 

Po, Access control (IAM) Name TL IPv4 Ty 

@ Tags AzureFirewallSubnet 10,1.0.0/24 (251 available) 
@ Diagnose and solve problems WorkloadSubnet 10.1.1.0/24 (251 available) 
Settings JumphostSubnet 10.1.2.0/24 (251 available) 


Address space 
gs Connected devices 


Subnets 


tw] DDoS protection 


FIGURE 4-45 The ExamRef-VNet with its subnets for Azure Firewall deployment 


NOTE AZURE FIREWALL SUBNET REQUIREMENTS 


Azure Firewall must be hosted in a subnet named AzureFirewallSubnet with a minimum /26 
address space in order for the Azure Firewall to provision more VMs to accommodate scaling. 
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Create required VMs 


Now, you need to deploy two virtual machines—ExamRef-Jump and ExamRef-Work—in the same 
resource group as ExamRef-VNet. Remember to place the VMs in JumphostSubnet and workload- 
Subnet, respectively. The networking blade for ExamRef-Jump is shown in Figure 4-46. 


Home > New > 


Create a virtual machine 


Basics Disks Networking Management Advanced Tags Review + create 


Define network connectivity for your virtual machine by configuring network interface card (NIC) settings. You can control 
ports, inbound and outbound connectivity with security group rules, or place behind an existing load balancing solution. 
Learn more 


Network interface 


When creating a virtual machine, a network interface will be created for you. 


Virtual network * © ExamRef-VNet v 


Create new 


Subnet * © JumphostSubnet (10.1.2.0/24) v 
Manage subnet configuration 


Public IP © (new) Examref-Jump v 


Create new 
NIC network security group © O None (O) Basic O Advanced 
Public inbound ports * © O None (O) Allow selected ports 
Select inbound ports * | RDP (3389) v | 


Å This will allow all IP addresses to access your virtual machine. This is only 
recommended for testing. Use the Advanced controls in the Networking tab 
to create rules to limit inbound traffic to known IP addresses. 


Accelerated networking © © or 
The selected VM size does not support accelerated networking. 


Load balancing 


You can place this virtual machine in the backend pool of an existing Azure load balancing solution. Learn more 


Place this virtual machine behind an O Yes © No 
existing load balancing solution? 


| < Previous || Next : Management > 


FIGURE 4-46 The Networking blade while creating the Examref-Jump VM 


The networking blade for ExamRef-work is shown in Figure 4-47. 
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Home > New > 


Create a virtual machine 


Basics Disks Networking Management Advanced Tags Review + create 


Define network connectivity for your virtual machine by configuring network interface card (NIC) settings. You can control 
ports, inbound and outbound connectivity with security group rules, or place behind an existing load balancing solution, 
Learn more 


Network interface 


When creating a virtual machine, a network interface will be created for you. 


Virtual network * © ExamRef-VNet v 


Create new 


Subnet * © | JumphostSubnet (10.1.2.0/24) Vv | 
Manage subnet configuration 


Public iP © (new) Examref-Jump v 


Create new 
NIC network security group © O None © Basic © Advanced 
Public inbound ports * © O None © Allow selected ports 
Select inbound ports * L RDP (3389) M 


Å This will allow all IP addresses to access your virtual machine. This is only 
recommended for testing. Use the Advanced controls in the Networking tab 
to create rules to limit inbound traffic to known IP addresses. 


Accelerated networking © on @ off 
The selected VM size does not support accelerated networking. 


Load balancing 


You can place this virtual machine in the backend pool of an existing Azure load balancing solution. Learn more 


Place this virtual machine behind an O Yes © No 
existing load balancing solution? 


| < Previous || Next: Management > | 


FIGURE 4-47 The Networking blade while creating the Examref-Work VM 


Create an Azure Firewall 


To deploy Azure Firewall, click +Create A Resource > Networking > Firewall to open the 
Create A Firewall blade. Fill in the blade by selecting the Subscription, Resource Group, 
and Region that are the same as what is used in the ExamRef-vNet. Also, specify the Name for 
the firewall, select the virtual network from the Virtual Network drop-down menu and create 


new public IP address, as shown in Figure 4-48. 
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Home > New > 


Basics 


Tags 


Project details 
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‘—— Resource group * 


Instance details 


Name * 
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Availability zone © 
Choose a virtual network 
Virtual network 


Public IP address * 


Forced tunneling © 


Create a firewall 


Review + create 


Azure Firewall is a managed cloud-based network security service that protects your Azure Virtual Network resources, It is a 
fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. You can centrally create, 
enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a 
static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your 
virtual network, The service is fully integrated with Azure Monitor for logging and analytics. Learn more. 
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FIGURE 4-48 Basics blade while creating a firewall using Azure portal 


Once created, the firewall overview blade will appear, as shown in Figure 4-49. 
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FIGURE 4-49 Overview of Azure Firewall 
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Create and associate a route table with a firewall 


You will need to create a default route table to route the outbound requests through the 
firewall. To create route table, follow these steps: 


1. Click +Create A Resource > Networking, > Route Table to open the Create Route 
table blade. 


2. Select Choose the Subscription, Resource Group, and Region from the drop-down 
menus, and in the Name field, specify the route table name (see Figure 4-50). 


Home > New > Marketplace > Route table 


Create Route table 


Basics Tags Review + create 


Project details 


Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and 
manage all your resources. 


Subscription * © | Visual Studio Ultimate with MSDN v | 
Resource group * 0) ExamRef-RG v 
Create new 


Instance details 


Region * © | Canada Central v | 
Name * © [ ExamRef-FW-RouteTable z] 
Propagate gateway routes * © © Yes 

O no 


FIGURE 4-50 Basics blade while creating a route table using Azure portal 


3. Once created, associate workloadSubnet to this route table, as shown in Figure 4-51. 


4. Open the route table and then click Subnets to associate the workloadSubnet. 


ze EON Associate subnet 
ExamRef-FW-RouteTable | Subnets a Š 


FIGURE 4-51 Subnets page 
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5. Now you should add a default route to the firewall. From the Routes section in the 
left-side navigation menu, click Add. Set the Route Name, Address Prefix, Next Hop 
Type, and Next Hop Address options, as shown in Figure 4-52. 

6. Toseta route as the default route, the Address Prefix must be set to 0.0.0.0/0. For 
the Next Hop Address, use the private IP address of the firewall created in the 
previous step. 


Home > Microsoft. RouteTable-20200803001453 | Overview > ExamRef-FW-RouteTable | Routes 


Add route 


ExamRef-FW-RouteTable 


Route name * 
[ Default-FW-Route v | 


Address prefix * 
[000.070 7] 


Next hop type © 


[ Virtual appliance ai | 


Next hop address * C 
[10.1.04 2] 


fi} Ensure you have IP forwarding enabled on your virtual appliance. You can enable this by navigating to 
the respective network interface’s IP address settings. 


FIGURE 4-52 Add default route to the route table 


Add an Application rule collection 
To filter outbound web traffic, you need to create an application rule. The following steps will 


allow you to create an application rule to allow outbound access to www.microsoftpressstore.com. 


1. From the Azure portal, go to the ExamRef-Firewall > Rules section, and then select 
Application Rule Collection > +Add Application Rule Collection, as shown in 
Figure 4-53. 


Home 


2 ExamRef-Firewall | Rules 


Firewall 


| © Search (Ctrl+/) $ ©) Refresh 


Mi je m 
@ overview @ This firewall can be managed by Azure Firewall Manager. -> 


@ Activity log 


PR Access control (IAM) NAT rule collection Network rule collection Application rule collection 


@ Tags 
+ Add application rule collection 
Settings 
= Priority Name 
E DNS (preview) 
No results 


& Rules 


E Public IP configuration 
ti) Azure infrastructure application rule collection is enabled by default. Learn mare 


© Threat intelligence 


FIGURE 4-53 Adding an application rule collection 
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2. Specify the application rule Name, Priority, and Action, as shown in Figure 4-54. 


3. Under Target FQDNSs, add an entry to allow the Microsoft Press Store website from the 


WorkloadSubnet. 


4. Specify the Source IP address as 10.1.1.0/24, the Protocol as https, and the Target 


FQDN as www.microsoftpressstore.com. 


Add application rule collection 


Name* | AppRulel 


Priority * | 100 


Action* | Allow 


Rules 
FQDN tags 


name Source type 


IP address 


Target FQDNs 


name Source type 


Allow-MicrosoftPressStore w IP address 


IP address 


@ FOON tags may require additional configuration. Leam more 


Source 


FQDN tags 


O selected {v 


ProtocotPort Target FQDNs 


https | wwa.microsoftpressstoreco../ | [BJ +++ 


FIGURE 4-54 Add Application Rule Collection blade 


NOTE INFRASTRUCTURE FQDNs 


By default, infrastructure FQDNs are allowed by Azure Firewall with a built-in rule collection. 
You can override infrastructure FQDNs by creating a deny all applications rule collection. The 


following services are included in the built-in rule collection: 


= Compute access to storage Platform Image Repository (PIR) 


m Managed disks status storage access 


m Azure Diagnostics and Logging (MDS) 


Add network rule collection 


To resolve the FQDN, the network rule must be created to allow the DNS requests from the 
WorkloadSubnet to the public DNS servers (in our case, OpenDNS). To add a network rule, follow 


these steps: 


1. From Azure portal, go to the ExamRef-Firewall > Rules section, choose Network Rule 


Collection and click + Add Network Rule Collection, as shown in Figure 4-55. 
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Home 


ExamRef-Firewall | Rules 


Firewall 


O Search (Ctri+/) | « C) Refresh 


Overview 
NAT rule collection Network rule collection Application rule collection 


@ 
E Activity log 
Fp 


Access control (IAM) + Add network rule collection 
@ Tags . 
Priority Name 
Settings No results 


EE DNS (preview) 
& Rules 


E Public IP configuration 


FIGURE 4-55 Add network rule collection under Rules for ExamRef-Firewall 


2. Specify the network rule Name, Priority, and Action, as shown in Figure 4-56. 
3. Choose Rules -> IP Addresses, and add an entry that allows DNS servers from the 
WorkloadSubnet. 


4. Set the Protocol to UDP; Source IP Address to 10.1.1.0/24; Destination IP Address to 
208.67.222.222, 208.67.220.220 (OpenDNS servers); and the Destination Port to 53. 


Add network rule collection x 


Name* | NetworkRulel v 


Priority * L 00 v 
Aaction* [aiw v 
Rules 
IP Addresses 
name Protocol Source type Source Destination type Destination Addr. Destination Ports 
E 3 CET CO T 
[ 0 selected | | 1P address v | [+ 192.768.1011, 19; IP address v 
Service Tags 
name Protocol Source type Source Service Tags Destination Ports 
| O selected v | | iP address {v 92.168.10.1, 492.168 0 selected w | | aoea, souo-s090 
FQDNS (preview) 
name Protocol Source type Source Destination FQDNs Destination Ports 
| O selected W | | iP address v] [ aven, s080-2090, * 


FIGURE 4-56 Adding a network rule collection 


You need to make sure that your ExamRef-work VM uses OpenDNS server addresses to 
resolve FQDNSs. 


1. Goto the network interface for the examref-work131 VM and add these custom DNS 
servers: 208.67.222.222 and 208.67.220.220 (see Figure 4-57). 


2. Restart the VM to apply the changes. 
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Home > ExamRef-Work | Networking 


s examref-work131 | DNS servers 


Network interface 


O Search (Ctri+ 


@® Overview DNS servers 
inherit from virtual network 

E Activity log < 

@) Custom 

Rp Access control (JAM) 


208.67,222.222 


% Tags 

208.67.220.220 
Settings Add DNS server 
E iP configurations 
™ DNS servers Applied DNS servers 


@ Network security group 208.67.222.222 


* Properties 


A Locks 


& Export template 


208.67.220.220 


Support + troubleshooting 
Effective security rules 


> Effective routes 


Q New support request 


FIGURE 4-57 Update the custom DNS servers for the ExamRef-Work VM 


Test the Azure Firewall 
To test the Azure Firewall rules, follow these steps: 
1. Connect to the ExamRef-Jump using the public IP address 52.228.7.130. 


2. Then RDP from the ExamRef-Jump VMto connect to the ExamRef-Work machine using 
the private IP address 10.1.1.4. 


To test the application rule created earlier, open a web browser on the ExamRef-work VM and 
type the website URL https://www.microsoftpressstore.com/, as shown in Figure 4-58. 


M 52.228.7,130 - Remote Desktop Connection 


B 10.1.14 - Remote Desktop Connection 


e © https:! wow microsoftpressstore.com. P~ BC @ Microsoft Press Store: Books... 


© 


The Microsoft Press Store by Pearson 


Topicsy Seriesy Authors Specials Morev 


FIGURE 4-58 Test firewall application rules for the Microsoft Press Store website 
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This should work just fine, but if you try to access any other websites like www.microsoft.com 
or www.google.com, those will be blocked by the firewall. If you want to access these websites, 
you should create application rule for each of them in Azure Firewall. 


Create a DNAT rule 


If you don’t want to use ExamRef-Jump VM to connect to the ExamRef-Work VM, then 
you should consider creating a DNAT rule in firewall. This rule will allow you to connect to the 
ExamRef-Work VM through the firewall (using firewall’s public IP address). Follow these steps to 
create a DNAT rule: 


1. Goto the ExamRef-Firewall > Rules section, choose NAT Rule Collection, and click + 
Add NAT Rule Collection, as shown in Figure 4-59. 


2. Specify the NAT rule Name and Priority, as shown in Figure 4-60. 


3. Under Rules, add an entry that allows RDP using private IP addresses through Azure 
Firewall. 

4. Specify the following settings: 
m Protocol. TCP 
m Source. * 

m Destination IP Address. 20.39.143.187 (Firewall Public IP Address) 

= Destination Port. 3389 

= Translated Address. 10.1.1.4 (ExamRef-Work VM Private IP Address) 


= Translated Port. 3389 


Home 


@ ExamRef-Firewall | Rules 


| © Search (Ctrl+ € C) Refresh 


@ Overview 
NAT rule collection Network rule collection Application rule collection 
E Activity log 
®Q Access control (IAM + Add NAT rule collection 
@ Tags R 
Priority Name 
Settings No results 
ME DNS (preview) 
Š Rules @ When a DNAT rule is matched, an implicit corresponding network rule to allow the translated traffic is added. Leam more. 


E Public iP configuration 


© Threat intelligence 


FIGURE 4-59 Add NAT rule collection under Rules for ExamRef-Firewall 
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Add NAT rule collection x 


Name* | NATRulet 


Priority * | 100 


Rules 


name Protocol Source type Source Destination Addr Destination Ports Translated address Transl 


aS | [| Cd | CS | EO | Eo Zika fase 


0 selected WV | | IP address v 


‘ + 


FIGURE 4-60 Adding a NAT rule collection 


Once created, you should be able to RDP to the ExamRef-Work VM using the firewall’s 
public IP address. 


MOREINFO DEPLOY AZURE FIREWALL USING POWERSHELL OR CLI 


Azure Firewall can be deployed using PowerShell or CLI using the following documentation. 
m PowerShell: https://docs.microsoft.com/en-us/azure/firewall/deploy-ps 


m CLI: https://docs.microsoft.com/en-us/azure/firewall/deploy-cli 


Implement Azure Bastion Service 


You generally connect to remote machines with either RDP or SSH. To do so, you either need to 
assign an public IP address (with the RDP/SSH port exposed) to the VM to which you are trying 
to connect, or you need to provision an additional jump server, assign a public IP address to 
that jump server, and then connect to the other virtual machines using private IP addresses 
internally. 


You can also try implementing Network Security Groups (NSGs) to restrict the source IP 
addresses and ports allowed for your network traffic. Still, you are exposing RDP/SSH ports to 
the source servers over the Internet, which could be a potential security threat. 

To overcome this issue, Microsoft has created a managed Paas service called Azure Bas- 
tion to provide secure connections to Azure Virtual Machines using the SSL channel through 
a browser directly without using any external client. This service helps you to limit threats like 
port scanning and other malware. 


NOTE AZURE BASTION REGIONS 


The Azure Bastion service is only available in selected regions across the globe. You can find the 
supported regions at https://docs.microsoft.com/en-us/azure/bastion/bastion-overview#faq. 
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The Azure Bastion service is provisioned within a VNet within a separate subnet called Azur- 
eBastionSubnet. If you have multiple VNets in your environment, you will need to deploy Azure 
Bastion for each VNet separately. 


Deploy and configure Azure Bastion Service using the Azure portal 


In the following example, it is assumed that you have already created the Exam-Ref-VNet with 
a subnet named AzureBastionSubnet and with a prefix of at least /27. Refer to “Create and 
configure VNet peering, for detailed instructions on how to create a virtual network and 
subnet. 


To create a Bastion service using Azure portal, follow these steps: 
1. Click Create A Resource, and then search for and select Bastion. 


2. Once the Create A Bastion blade loads, you will need to provide a Name, the 
Subscription where your resources are located, the Resource Group for the Bastion, 
and the region (select the supported region). 


3. You also need to select the Virtual Network and Subnet and create a Public 
IP Address, as shown in Figure 4-61. 


Home > New > Bastion 


Create a Bastion 


Basics Tags Review + create 


Bastion allows web based RDP access to your vnet VM. Learn more. 


Project details 


Subscription * Visual Studio Ultimate with MSDN Vv 
Resource group * ExamRef-RG Vv 
Create new 


Instance details 


Name * ExamRef-Bastion "e 
Region * Canada Central Vv 


Configure virtual networks 


Virtual network * ( ExamRef-VNet v 
Create new 
Subnet * AzureBastionSubnet (10.1.3.0/24) v 


Manage subnet configuration 


Public IP address 


Public IP address * ( (O) Create new O Use existing 
Public IP address name * ExamRef-Bastion-ip v 
Public IP address SKU Standard 


FIGURE 4-61 Creating a Bastion 
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4. Once created, the ExamRef-Bastion overview blade will appear, as shown in Figure 4-62. 


x< ExamRef-Bastion # 


[F ete E A ie 


X Oversew Rercure gre Ereng arar n Eeen wt Danae Wet Aruri 


ateti -4015 acto TIBA 0o) 44 bastion asure cum 


E Activny ing 


Sh, Access contro! GAM) 


O ty 


Settings a 


K te 


Ê locr 


E tapon mpane 


Monitoring 


Support + smeimhootiag 


New suger reqet 


FIGURE 4-62 Overview blade of ExamRef-Bastion 


5. To test this Bastion, browse to the Overview blade of your ExamRef-Work VM, click 
Connect, and select the Bastion tab, as shown in Figure 4-63. 


Home > Resource groups > ExamRef-RG 
S ExamRef-Work | Connect 
Virtual machine 


) Search (Ctri+/) | « 


l a à To improve security, enable just-in-time access on this VM. > 

K overview = 

E Activity log RDP SSH BASTION 

8 Access control (IAM) A . 
Connect with Bastion 

@ Tags To connect to your virtual machine over the web, enter login credentials and click connect (opens a new browser 
window). 


eC Diagnose and solve problems 
iv] Open in new window 


Settings 
Username * © 

à Networking harshulp = 

Connect 
s Password * © 
®@ Disks sessssssesse Vv 
=m =e 

Connect 

@ security 


®@ Advisor recommendations 


E Extensions 


FIGURE 4-63 Connecting to the ExamRef-Work VM through Azure Bastion 


6. Once you click Connect, you will be redirected to the interactive browser session to the 
ExamRef-Work VM through Bastion, as shown in Figure 4-64. 
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FIGURE 4-64 Managing ExamRef-Work VM through Bastion 


MOREINFO DEPLOY AZURE BASTION USING POWERSHELL OR CLI 


Azure Bastion can be deployed using PowerShell or CLI using the following documentation. 


m PowerShell: https://docs.microsoft.com/en-us/azure/bastion/bastion-create- 
host-powershell 


m CLI: https://docs.microsoft.com/en-us/azure/bastion/create-host-cli 


Skill 4.3: Configure load balancing 


Load balancing is one of the crucial requirements of a network design. Azure offers various 
options to design load balancing solutions. In this section, you will learn how to configure 
Azure Application Gateway and different Load Balancers in Azure. 

Azure Application Gateway is a type of Load Balancer that can manage traffic for web appli- 
cations. The web traffic routing occurs at application layer (OSI layer 7). The Azure Application 
Gateway offers additional features, such as SSL/TLS termination, autoscaling, URL-based rout- 
ing, redirection, and the like. 


MOREINFO AZURE APPLICATION GATEWAY DOCUMENTATION 


For a complete list of features, see the official documentation: https://docs.microsoft.com/ 
en-us/azure/application-gateway/features. 
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Azure Load Balancer is a fully managed load-balancing service, which is used to distribute 
inbound traffic across a pool of back-end servers running in an Azure virtual network. It can receive 


traffic on either Internet-facing or Intranet-facing endpoints and supports both UDP and TCP traffic. 


Azure Load Balancer operates at the transport layer (OSI layer 4) to route inbound and 
outbound connections at the packet level. It does not terminate TCP connections, and thus, it 
does not have visibility into application-level constructs. For example, it cannot support SSL 
offloading, URL path-based routing, or cookie-based session affinity. (For these, see “Applica- 
tion Gateway” in Skill 3.1.) 


Azure Load Balancer provides low latency and high throughput, scaling to millions of 
network flows. It also supports automatic failover between back-end servers based on health 
probes and enables high availability applications. 


This section covers how to: 

m Configure Application Gateway 

m Azure Load Balancer 

= Configure an internal or public load balancer 


m Troubleshoot load balancing 


Configure Azure Application Gateway 


An application gateway routes application web traffic to defined resources in a back-end pool. 
To create and configure an application gateway, follow the steps in the next section. Remem- 
ber, the load-balancing options in Azure can be configured in multiple ways to address various 
requirements. 


Create an application gateway using the Azure portal 
To create an application gateway using Azure portal, follow these steps: 
1. Click Create A Resource, and then search for and select Application Gateway. 


2. On the Create Application Gateway page, you will have four different blades to 
input the parameters for the application gateway: Basics, Frontends, Backends, and 
Configuration. 

3. On the Basics blade, you need to select the Subscription, Resource Group, Region, 
Tier, and Name for the application gateway. Leave the default values for autoscaling. 

4. You also need to select the virtual network and dedicated subnet for your application 
gateway (refer Figure 4-65). Note that you need a separate subnet for your back-end 
servers (in Our case, ExamRef-WorkloadSubnet). 
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1 Basics 2 Frontend 


about application gateway 


Project details 


your resources, 


Subscription * © 


Resource group * © 


Instance details 


Application gateway name * 
Region * 

Tier © 

Enable autoscaling 
Minimum scale units * © 
Maximum scale units 
Availability zone © 

HTTP2 © 


Configure virtual network 


Virtual network * © 


Subnet* © 


Previous Next ; Frontends > 


Home > New > Application Gateway > 


Create application gateway 


4 Configuration 5 Tag 6 Review + create 


An application gateway is a web traffic load balancer that enables you to manage traffic to your web application. Learn more 


Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all 


Visual Studio Ultimate with MSDN Vv 
(New) ExamRefAG-RG Vv 
Create new 
[examRe-AG o A 
Canada Central v 
Standard V2 Vv 
(O) Yes O No 
0 
10 


© Disabled O Enabled 


ExamRef-VNet vy 


Create new 


ApplicationGatewaySubnet (10.1.4.0/24) Vv | 
Manage subnet configuration 


FIGURE 4-65 Creating an application gateway 


5. On the Frontends blade, you need to configure the Frontend IP Address Type for 


the application gateway. Choose either Public or Private based on your requirements. 


In this example, we will create a new Public IP named ExamRef-AG-ip, as shown in 


Figure 4-66. 
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Home > New > Application Gateway 


Create application gateway 


v Basics 2 Frontends 3 Sackends 4 


Traffic enters the application gateway via its frontend IP address(es). An application gateway can use a public IP address, private 
IP address, or one of each type. 


Frontend IP address type © (O) Public O Private O Both 
Public IP address * (New) ExamRef-AG-ip Vv 
Add new 
Add a public IP 


Name * xamRef-AG-i; 


FIGURE 4-66 Frontends blade while creating an application gateway 


6. On the Backends blade, you can create a back-end pool with resources to which the 


application gateway can send traffic. Click Add A Backend Pool and add both the VMs 
created earlier in the Azure Firewall configuration as back-end targets (see Figure 4-67). 


7. Instead of VMs, you can also specify the IP address, VMSS, or app services. 


a puien Add a backend pool. x 
Create application gateway 


aa 


FIGURE 4-67 Backends blade while creating application gateway 


8. The Configuration blade is shown in Figure 4-68. You can still add or update frontends 


and backends from here. 
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FIGURE 4-68 Configuration blade while creating application gateway 


9. Click the + Add A Routing Rule button to connect your frontend and backend pool. 


10. In addition to choosing a routing Rule Name, on the Listener tab, specify the Listener 
Name and select the Frontend IP, Protocol, Port, and Listener Type, as shown in 
Figure 4-69. 


Add a routing rule x 


Configure a routing rule to send traffic from a given frontend IP address to one or more backend targets. A routing rule must contain a 
listener and at least one backend target. 


Rule name * ExamRefAG-RoutingRule v 


*Listener *Backend targets 


A listener “listens” on a specified port and IP address for traffic that uses a specified protocol, If the listener criteria are met, the application 
gateway will apply this routing rule. 


A ExamRefAG-Listener = 
Listener name * © 
T Publ = 
Frontend 1P* © 
Protocol © © HTTP O HTTPS 
Port* © | 80 = | 


Additional settings 


Listener type © (O) Basic C) Multi site 


Error page url O Yes (O) No 


FIGURE 4-69 Add A Routing Rule—Listener tab 


11. On the Backend Targets tab, select the Target Type and Backend Target created in 
the previous step. Also, choose new HTTP Settings, as shown in Figure 4-70. 


12. Once a routing rule is added, you can create the application gateway; it takes several 
minutes for the deployment to complete (see Figure 4-71). 


13. Now, you can use application gateway public IP to serve the web request for backend 
servers. You should see it as load-balanced between all the backend servers, based on 
the settings. 
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Add a routing rule x 


Configure a routing rule to send traffic from a given frontend IP address to one or more backend targets. A routing rule must contain a 
listener and at least one backend target. 


Rule name * ExamRefAG-RoutingRule s 


*Listener *Backend targets 


Choose a backend pool to which this routing rule will send traffic. You will also need to specify a set of HTTP settings that define the behavior 
of the routing rule. 


Target type © Backend pool oO Redirection 
ExamRefAG-Backend Mv 
Backend target * © Add new 
| ExamRef-HTTPSettings v 
HTTP settings * © Add new 


Path-based routing 


You can route traffic fram this rule's listener to different backend targets based on the URL path of the request. You can also apply a different 
set of HTTP settings based on the URL path, 


Path based rules 
Path Target name HTTP setting name Backend pool 


No additional targets to display 


Add multiple targets to create a path-based rule 


FIGURE 4-70 Backend Targets tab 
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FIGURE 4-71 The application gateway overview page 


Azure Load Balancer 


The deployment of Azure Load Balancer involves the coordinated configuration of several 
groups of settings. These settings work together to define the overall Load Balancer behavior. 
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Basic and Standard Load Balancer tiers 


Azure Load Balancer is available in two pricing tiers (SKUs): Basic and Standard. These tiers offer 
different levels of scale, features, and pricing. Table 4-9 provides a comparison of the main 
feature differences between the Basic and Standard tiers. 


TABLE 4-9 Standard and Basic Load Balancer Tiers 


FEATURE 


Availability Zones 


Backend Pools 


Health Probes 


Diagnostics 


Security 


Outbound 
Connectivity 


Other Features 


Pricing 


SLA 


Standard 


Supports zone-specific or zone-redundant deploy- 
ments, including cross-zone load-balancing 


Up to 1,000 servers, any mix of VMs, availability 
sets, and VM Scale Sets—in the same VNet 
TCP, HTTP, HTTPS 


Rich metrics via Azure Monitor, including byte and 
packet counters, health probe status, connection 
attempts, outbound connection health, and more 


Inbound flows closed by default 


Access less—permitted inbound flows using Net- 
work Security Groups 


Supports multiple outbound IP addresses that are 
configurable via outbound rules 


Supports HA Ports, TCP Reset on idle timeout, and 
faster management operations 


Based on the number of rules and data processed 


99.99 percent availability for a data path with two 
healthy VMs 


Frontend IP configuration 


Basic 


Not supported 


Up to 300 servers 


Must be VMs in the same availabil- 
ity set or a single VM Scale Set 


TCP, HTTP 


Azure Monitor for public Load 
Balancer only 

Alerts and backend pool health 
count 


Open by default 
Can optionally restrict flows using 
Network Security Groups 


Single outbound IP 
Not configurable 


N/A 


Free 


None 


Azure Load Balancer supports two modes: internal Load Balancer or public Load Balancer. In 
each case, the frontend IP configuration defines the endpoint upon which the Load Balancer 
receives incoming traffic. 


m Internal Load Balancer. 


Used to load-balance traffic for Intranet-facing applications, 


or between application tiers. The frontend IP configuration references a subnet, and an 
IP address from that subnet is allocated using either dynamic or static assignment to the 
Load Balancer. 


m Public Load Balancer. 


Used to load-balance traffic for Internet-facing applications. 


The frontend IP configuration references a separate public IP address resource, which is 
used to receive inbound traffic. 
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When used with laaS VMs, each Load Balancer can support multiple frontend IP configu- 
rations. This allows it to receive traffic on multiple IP addresses, to load-balance traffic for 
multiple applications. All frontend configurations, however, must be of the same type: internal 
or public. 


A public Load Balancer must be associated with a public IP address resource. If the load- 
balancer uses the standard pricing tier, then the public IP address must also use the standard 
pricing tier. Standard tier Load Balancers support both zone specific and zone redundant 
deployment options. The choice of deployment option is taken from the associated public IP 
address, rather than being explicitly in the Load Balancer properties. 


Backend configuration 
The backend pool defines the backend servers over which the Load Balancer will distribute 
incoming traffic. 

When using a basic-tier Load Balancer, this backend pool must comprise either a single 
virtual machine, virtual machines in the same availability set, or a VM scale set. (Traffic will be 
distributed to all virtual machines in the VM scale set.) You cannot distribute traffic to multiple 
virtual machines unless they are members of the same availability set or VM scale set. 

With a standard-tier load-balancer, these restrictions are lifted. Backend pools can comprise 
a combination of virtual machines across availability sets and VM scale sets. 


Health Probes 


Azure Load Balancer supports continual health probing of backend pool instances to deter- 
mine which instances are healthy and able to receive traffic. The Load Balancer will stop send- 
ing traffic flows to any backend pool instance that is determined to be unhealthy. Unhealthy 
instances continue to receive health probes, so the Load Balancer can resume sending traffic to 
that instance once it returns to a healthy state. 

Azure Load Balancer supports three types of health probes: 

m TCP. Probes attempt to initiate a connection by completing a three-way TCP hand- 
shake (SYN, SYN-ACK, ACK). If successful, the connection is then closed with a four-way 
handshake (FIN, ACK, FIN, and ACK). 

= HTTP. Probes issue an HTTP GET with a specified path. 


m HTTPS. Probes are similar to HTTP probes, except that a TLS/SSL wrapper is used. 
HTTPS probes are only supported on the standard-tier Load Balancer. 


All three probe types must also specify the probe port or the interval. The minimum probe 
interval is five seconds in length, and the minimum consecutive probe failure threshold is two 
seconds. For HTTP and HTTPs probes, the probe path must also be given. 


An endpoint is marked as unhealthy in the following settings: 


m For HTTP or HTTPS probes only, the endpoint returns an HTTP status code other 
than 200 OK. 
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m The probe endpoint closes the connection using a TCP reset. 


m The probe endpoint fails to respond during the timeout period snf for a consecutive 
number of requests. The number of failed requests required to mark the endpoint 
unhealthy is configurable. 


Configuring a dedicated health check page, such as /healthcheck.php, enables each back- 
end server to implement custom application logic to decide whether it is healthy. Checking the 
availability of a backend database is an example of this. 

When configuring network security groups (NSGs) for backend servers, it is important to 
allow both inbound traffic and probe traffic. Azure Load Balancer does not modify the source 
IP address of inbound traffic, so inbound traffic rules should be configured as if the Load 
Balancer was not in use. Approved-listing inbound probe traffic is achieved by allowing traffic 
originating from the AzureLoadBalancer service tag. 


NOTE LOAD BALANCERS AND NETWORK SECURITY GROUPS 


Standard-tier Load Balancers use standard-tier public IP addresses, which by default, are 
closed to inbound traffic. When using a standard-tier Load Balancer, traffic must be approved 
using NSGs. In contrast with basic-tier Load Balancers, traffic should be approved using NSGs 
but will also flow if NSGs are not used. 


Configure an internal or public load balancer 


As discussed earlier, both internal and public Load Balancers involve the coordinated configu- 
ration of several groups of settings. These settings work together to define the overall Load 
Balancer behavior. 


Create an Azure Load Balancer using the Azure portal 


To use the Azure Load Balancer, the administrator must first provision the resource, which 
includes the frontend IP configuration. After this step has been completed, you can create the 
backend pool, the heath probes, and finally the load balancing rule. 


To create the Load Balancer in Azure portal, click +Create A Resource > Networking > 
Load Balancer. This will open the Create Load Balancer blade, as shown in Figure 4-72. 
Complete the blade as follows: 


m Name. Provide a name for the Load Balancer resource. 
= Type. Choose Public or Internal. 
m SKU. Select the pricing tier: Basic or Standard. 


= Public IP Address Load Balancer. (Public Load Balancers only.) Choose an existing 
public IP address resource or create a new one. Standard-tier Load Balancers must use 
standard-tier public IP addresses. 
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Home > New > Load Balancer 


Create load balancer 


Basics Tags Review + create 


Azure load balancer is a layer 4 load balancer that distributes incoming traffic among healthy virtual machine instances. Load 
balancers uses a hash-based distribution algorithm. By default, it uses a 5-tuple (source IP, source port, destination IP, 
destination port, protocol type) hash to map traffic to available servers. Load balancers can either be internet-facing where it is 
accessible via public IP addresses, or internal where it is only accessible from a virtual network. Azure load balancers also 
support Network Address Translation (NAT) to route traffic between public and private IP addresses. Learn more 
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FIGURE 4-72 Creating a Public Load Balancer with the Azure portal 


m Virtual Network, Subnet And IP Assignment. (Internal Load Balancers only.) 
Choose the virtual network and subnet from which the frontend IP address will be 
allocated and choose between static and dynamic allocation (see Figure 4-73). 


= Availability Zone and Load Balancer. (Standard-tier Load Balancers only.) For 
public Load Balancers, the availability zone is configured as part of the public IP address 
configuration. For internal Load Balancers, it is explicitly specified. (See Figure 4-73.) 


= Subscription, Resource Group, And Location. Specify as required. 
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Home > New 


> Load Balancer 


Create load balancer 


Basics Tags 


Review + create 


Azure load balancer is a layer 4 load balancer that distributes incoming traffic among healthy virtual machine instances. Load 
balancers uses a hash-based distribution algorithm. By default, it uses a 5-tuple (source IP, source port, destination IP, 
destination port, protocol type) hash to map traffic to available servers. Load balancers can either be internet-facing where it is 
accessible via public IP addresses, or internal where it is only accessible from a virtual network, Azure load balancers also 
support Network Address Translation (NAT) to route traffic between public and private IP addresses. Learn more. 


Project details 
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Resource group * 
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Configure virtual network. 
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FIGURE 4-73 Creating an Internal Load Balancer with the Azure portal 


After the Load Balancer has been created, the next steps are to create the backend pool, the 
health probe, and finally the load-balancing rule. 


To create a backend pool, open the Load Balancer blade in the Azure portal, and then click 
Backend Pools > +Add. This opens the Add Backend Pool blade, as shown in Figure 4-74. 
Specify the backend pool Name and, for a standard Load Balancer, select the virtual machines 
(and their IP addresses) to include in the backend pool. For basic Load Balancers, you will need 
to choose between adding an individual virtual machine, an availability set, or a VM scale set 
(refer Figure 4-74). 
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Add virtual machines to backend pool 


Add backend pool 


Warne * 


FIGURE 4-74 Creating a backend pool and adding virtual machines, using a Basic Load Balancer 


To create a health probe, navigate to the Load Balancer blade and click Health Probes > 
+Add. This opens the Add Health Probe blade, as shown in Figure 4-75. Specify the health 
probe name, together with the protocol, port, probe interval, and consecutive probe failures 
threshold. 


Add health probe 


ExamRef-LB 


Name * 
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FIGURE 4-75 Creating a health probe in Azure Load Balancer 


The final step is to configure a load balancing rule, which links the frontend IP configuration 
to the backend pool, specifying the health probe and other load balancing settings. From the 
Load Balancer blade, click Load Balancing Rules > +Add. This opens the Add Load Balancing 
Rule blade, as shown in Figure 4-76. Choose the frontend IP configuration, backend pool, and 
health probe selected earlier. For HTTP traffic, select TCP, specify port 80 for both the frontend 
and backend ports. Select None for Session Persistence and leave the Idle Timeout at the 
default value of 4 minutes. 


NOTE FLOATINGIP 


The last setting, Floating IP (direct server return), is only recommended when load-balancing 
traffic for a SQL Server Always On Availability Group listener. For other scenarios, the Floating 
IP setting should be left disabled. 
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Home > ExamRef-LB | Load balancing rules 


Add load balancing rule 


ExamRef-LB 


@ A load balancing rule distributes incoming traffic that is sent to a selected IP address and port 
combination across a group of backend pool instances. Only backend instances that the health probe 
considers healthy receive new traffic 
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FIGURE 4-76 Creating a load balancing rule in Azure Load Balancer 


The final step is to ensure NSGs are configured to allow incoming traffic and health probe 
traffic. With this in place, if the VMs added to the backend pool are configured with a web 
server, you should be able to connect to the public IP address of the Load Balancer and see the 
webpage. 


Troubleshoot load balancing 


Basic- and standard-tier Load Balancers also support additional diagnostic logs to enable com- 
mon troubleshooting scenarios. These logs are different between the basic and standard tiers. 
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Basic-tier Load Balancer metrics and diagnostics 
The basic tier Load Balancer provides the following diagnostic logs: 


= Alerteventlogs. These logs record Load Balancer alert events. They are written 
whenever a Load Balancer alert is raised (max every 5 minutes). 


= Health probelogs. These logs allow you to investigate the status of health probes for 
backend servers. They are written whenever there is a change in health probe status. 


= Metrics. Used to track common Load Balancer metrics. 


To enable basic-tier load-balancer logs, open the Load Balancer blade in the Azure portal, 
select Diagnostic Logs, and click Turn On Diagnostics to open the Diagnostics Configura- 
tion blade, as shown in Figure 4-77. 
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FIGURE 4-77 Configuring diagnostics logs in a basic-tier load balancer 


Having configured the diagnostics logs, they can be downloaded for offline analysis or 
analyzed using Log Analytics. 


Standard-tier Load Balancer metrics and diagnostics 

The standard Load Balancer also supports diagnostics via metrics routed automatically to 
Azure Monitor. Available metrics include byte count, packet count, health probe status, SYN 
count (for new connections), and more. Azure monitor supports charting and alerting based 
on these metrics. In addition, they are exposed as multi-dimensional metrics, meaning that 
charts and alerts can be built using filtered views. 
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Skill 4.4: Monitor and troubleshoot virtual networking 


Azure offers numerous features and services to enable you to monitor your network and inves- 
tigate network issues. These features provide a wide range of diagnostic and alerting capabili- 
ties. A good understanding of the range of features available will enable you to investigate 
network issues quickly and effectively. 


This section covers how to: 

= Monitor on-premises connectivity 

= Configure and use Network Performance Monitor 
m Use Azure Network Watcher 

= Troubleshoot external networking 


m Troubleshoot virtual network connectivity 


Monitor on-premises connectivity 


Azure Network Performance Monitor (NPM) is a network monitoring solution for hybrid 
networks that enables you to monitor network connectivity and performance between vari- 
ous points in your network, both in Azure and on premises. It can provide reports of network 
performance and raise alerts when network issues are detected. 
NPM provides three services: 
= Performance Monitor. Used to monitor connectivity between various points in your 
network, both in Azure and on premises. You can monitor nodes at both ends, and you 
can gather data about connectivity, packet loss, latency, and available network paths. 
= Service Connectivity Monitor. Used to monitor outbound connectivity from nodes 
on your network to any external service with an open TCP port, such as web sites, appli- 
cations, or databases. This measures latency, response time, and packet loss, enabling 
you to determine whether poor performance is caused by network or application issues. 
= ExpressRoute. Used to monitor end-to-end connectivity between your on-premises 
network and Azure over ExpressRoute. This service can auto-discover your ExpressRoute 
network topology. It can then track your ExpressRoute bandwidth utilization, packet 
loss, and latency. These are measured at the circuit, peering and Azure virtual network 
level. 
NPM also provides a dashboard giving an overview of the network status. as well as detailed 
per-service charts and reports. 


Configure and use Network Performance Monitor 


NPM is a Log Analytics solution. Log Analytics agents are installed on each node used to 
measure network connectivity and performance. These agents perform synthetic transactions 
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over either TCP or ICMP to measure network performance. Data gathered from these agents is 
channeled into a Log Analytics workspace. NPM analyzes this data to provide both reporting 
and alerting. 


NPM can be installed from the Azure Marketplace (from the Azure portal, click +Create A 
Resource and search for Network Performance Monitor). It is also available from Network 
Watcher, an Azure service that acts as a hub for a wide range of network monitoring and diag- 
nostic tools. You will be required to create a Log Analytics workspace or select an existing work- 
space to use as shown in Figure 4-78. Be sure to deploy your Log Analytics workspace to one of 
the regions supported by Network Performance Monitor, as listed at https://docs.microsoft.com/ 
azure/azure-monitor/insights/network-performance-monitor#supported-regions. 


Home > New > Network Performance Monitor 


Network Performance Monitor 


Create new Solution 


*Log Analytics Workspace > 
ExamRefLA 


FIGURE 4-78 Create Network Performance Monitor 


Having deployed NPM, the monitoring agents must be installed and configured. The choice 
of where to install the agents depends on your network topology and which parts of your 
network you plan to measure. To monitor a given network link, agents should be installed on 
servers at both ends of that link. To monitor connections between subnets, an agent on at least 
one server in each subnet is required. 


To install the NPM monitoring agent on an Azure virtual machine, simply open the Log Ana- 
lytics workspace, and click Virtual Machines (under Workspace Data Sources) to see a list 
of virtual machines and the status of their Log Analytics connection (Figure 4-79). From there, 
click a VM and click Connect to add the VM to Log Analytics. After a few minutes, refresh the 
list of virtual machines to see the updated list. 


1@ ExamRefLA | Virtual machines 
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FIGURE 4-79 Connecting Azure Virtual Machines to a Log Analytics workspace 
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To connect on-premises servers with Log Analytics, you need to install the Log Analytics 
agent. Open the Log Analytics Workspace and click Solutions. Select the NPM solution and 
click the Solution Requires Additional Configuration tile, as shown in Figure 4-80. 
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FIGURE 4-80 Solution Requires Additional Configuration tile in Network Performance Monitor 


Here, you will find options to download and install the Log Analytics agent, the workspace 
IDs and keys needed to configure the agent, and a PowerShell script to open the necessary 
firewall ports, as shown in Figure 4-81. 
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FIGURE 4-81 Network Performance Monitor Configuration 
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Having installed and configured the agents, ensure that Network Security Groups and on- 
premises firewalls are configured to allow the agents to communicate. The default port used is 
TCP 8084. 


Finally, in the left-navigation pane, complete the Network, Subnetworks, and Nodes 
sections to describe your network topology, as shown in Figure 4-82. This allows you to define 
the networks and subnets in your network and identify which monitoring nodes sit within each 
network segment. 


Network Performance Monitor Configuration 
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FIGURE 4-82 Network Performance Monitor Network and Subnetwork Configuration 


Performance Monitor 


Performance Monitor enables you to monitor packet loss and latency between your endpoints, 
both in Azure and on-premises. A VM or server running the Log Analytics agent is required at 
both ends of each monitored connection. 


To configure Performance Monitor, first complete the Performance Monitor tab in the 
Setup section of the Network Performance Monitor Configuration blade. This allows you to 
specify TCP or ICMP-based monitoring. 

Next, use the Performance Monitor section to define your monitoring rules. Each rule 
requires you to specify the source and destination networks, and the network protocol. You 
can also choose whether to enable health monitoring events based on defined criteria and 
whether to raise alerts based on those events. An example Performance Monitor rule is shown 
in Figure 4-83. 

Once configured, Performance Monitor will continually gather data from the Log Analytics 
agents, enabling both reporting and alerts. 
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FIGURE 4-83 Example Performance Monitor Rule Configuration 


Service Connectivity Monitor 

Service Connectivity Monitor is used to test outbound connectivity from your network to 
open a TCP port, such as a website, application, or database. It supports pre-configured end- 
points for Microsoft Office365 and Dynamics. You can also configure custom tests to arbitrary 
endpoints. 

To use the pre-configured endpoints, select the Service Connectivity Monitor tab from 
the Setup section of the Network Performance Monitor Configuration blade, as shown in 
Figure 4-84. Select the services to monitor, click +Add Agents to choose which of your net- 
work nodes should monitor these services, and then click Save & Continue. 


Network Performance Monitor Configuration 


FIGURE 4-84 Configuring Service Connectivity Monitor for Microsoft Services 
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Now move to the Service Connectivity Monitor section in the left-navigation pane, which 
shows the existing tests and allows you to configure custom tests. Figure 4-85 shows a custom 
test to check the availability of the Azure management portal. See https://portal.azure.com. 


Network Performance Monitor Configuration 


FIGURE 4-85 Configuring a custom test in Service Connectivity Monitor 


Once configured, Service Connectivity Monitor will generate packet loss and network per- 
formance charts (showing latency and response times) for each tested endpoint. 


ExpressRoute Monitor 


ExpressRoute Monitor allows you to monitor end-to-end network connectivity and perfor- 
mance between on-premises and Azure endpoints over ExpressRoute connections. It can 
auto-detect ExpressRoute circuits and your network topology, and track bandwidth utilization, 
packet loss and network latency. Reports are available for each ExpressRoute circuit or peering, 
and also for each Azure virtual network using ExpressRoute. 


To configure ExpressRoute Monitor, use the ExpressRoute Monitor section of the Network 
Performance Monitor Configuration blade (see Figure 4-86). First, ExpressRoute resources 
(such as gateways and circuits) are identified in your subscriptions. Next, the monitoring for 
each peering can be enabled, configuring health events and choosing monitoring agents. 

Once configured, it takes 30-60 minutes for the first ExpressRoute reporting data to 
become available. Several reports and charts are available, including bandwidth utilization, 
latency, and packet loss for each ExpressRoute circuit and for each peering. A network topol- 
ogy view shows network connections and status. Log Analytics alerts can be configured for a 
wide range of events, such as high latency, packet drops, high and low utilization, and more. 
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Network Performance Monitor Configuration 


FIGURE 4-86 Configuring ExpressRoute Monitor 


Use network resource monitoring 


Earlier in this chapter, you saw how Azure Application Gateways and Azure Load Balancers emit 
diagnostic logs, which can be used for detailed insight into the status of each service. These 
logs can be captured in a storage account, streamed to an EventHub, or integrated with an 
Azure Log Analytics workspace, which enables customized queries and log-based alerting. In 
the case of App Gateway, you also saw how the Azure Application Gateway Analytics Log Ana- 
lytics solution provides a pre-configured dashboard and charts showing App Gateway status. 


Diagnostic logs are also available for a number of other networking resources, including 
Traffic Manager, Azure DNS, and Network Security Groups. In each case, they give deeper 
insight into the status and operation of each service, as well as supporting log-based alerts 
through Log Analytics. In the case of NSGs, the Traffic Analytics Log Analytics solution provides 
detailed reports giving insight into the successful and blocked traffic flows into and out of your 
Azure services. 


Use Azure Network Watcher 


Network Watcher provides a central hub for a wide range of network monitoring and diagnos- 
tic tools. These tools are valuable across a wide range of network troubleshooting scenarios, 
and also provide access to other tools listed in this skill section, such as the Network Perfor- 
mance Monitor and Connection Monitor. 


Deploying Network Watcher 


Network Watcher is enabled as a single instance per Azure region. It is not deployed like a con- 
ventional Azure resource, although it does appear as a resource in a resource group. 


Any subscription containing a virtual network resource will automatically have Network 
Watcher enabled. Otherwise, it can be enabled via the Azure portal, under All Services > 
Network Watcher. Also, you can see the Network Watcher status per region. Network 
Watcher can also be deployed via the command line (using the New-AzNetworkWatcher cmdlet 
or the az network watcher configure commands), which unlike the Azure portal, provides 
control over the resource group used. 


Some of the Network Watcher tools require the Network Watcher VM extension to be 
installed on the VM being monitored. This extension is available for both Windows and Linux 
VMs. It is installed automatically when using Network Watcher via the Azure portal. 
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IP Flow Verify 


The IP Flow Verify tool provides a quick and easy way to test whether a given network flow will 
be allowed into or out of an Azure virtual machine. It will report whether the requested traffic 
is allowed or blocked, and in the latter case, which NSG rule is blocking the flow. It is a useful 
tool for verifying that NSGs are correctly configured. 

It works by simulating the requested packet flow through the NSGs applied to the VM. For 
this reason, the VM must be in a running state. 

To use IP Flow, verify via the Azure portal, open Network Watcher, and click IP Flow Verify. 
Select the VM and NIC to verify, and specify the protocol, direction, and remote and local IP 
addresses and ports, as shown in Figure 4-87. 
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FIGURE 4-87 Using Network Watcher IP Flow Verify 


IP Flow verify can also be used from PowerShell, using the Test-AzNetworkwWatcherIPFlow 
cmdlet, or the Azure CLI, using the az network watcher test-ip-flow command. 
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Next Hop 


The Next Hop tool provides a useful way to understand how a VM's outbound traffic is being 
directed. For a given outbound flow, it shows the next hop IP address and type and the route 
table ID of any user-defined route in effect. Possible next hop types are 


m Internet 

m VirtualAppliance 

m VirtualNetworkGateway 

m VirtualNetwork 

m VirtualNetworkPeering 

= VirtualNetworkServiceEndpoint 

= None (this is used for user-defined routes) 


To use Next Hop via the Azure portal, open Network Watcher and click Next Hop. Select 
the source VM, NIC and IP address, and the destination address, as shown in Figure 4-88. The 
destination can be any IP address, either on the internal network or the Internet. 
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FIGURE 4-88 Using Network Watcher Next Hop 


Next Hop can also be used from PowerShell using the Get-AzNetworkwatcherNextHop cmdlet, 
or the Azure CLI using the az network watcher show-next-hop command. 
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Packet Captures 


The Packet Capture tool allows you to capture network packets entering or leaving your virtual 
machines. It is a powerful tool for deep network diagnostics. 


You can capture all packets, or a filtered subset based on the protocol and local and remote 
IP addresses and ports. You can also specify the maximum packet and overall capture size, and 
atime limit (captures start almost immediately once configured). 


Packet captures are stored asa file on the VM or in an Azure storage account, in which case 
NSGs must allow access from the VM to Azure storage. These captures are in a standard format and 
can be analyzed off-line using common tools such as WireShark or Microsoft Message Analyzer. 


To use the Packet Capture tool, open Network Watcher and click Packet Capture > +Add. 
Select the VM, give the capture a name, and specify the destination, packet and total size, time 
limit, and filters. An example is shown in Figure 4-89. 
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Capture configuration 


The packet capture output file (.cap) can be stored in a storage account and/or on the 
target VM. 
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Storage accounts * 


examrefrgdiag v 


Maximum bytes per packet © 
1024 Y 
Maximum bytes per session © 


5000000 v 


Time limit (seconds) © 


300 v 


Filtering (optional) 
Protocol * 


@ any O tee O uo 


Local IP address © 


10.0,0.4 v 


Local port © 
80;443 = 
Remote IP address © 
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~ 
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FIGURE 4-89 Using Network Watcher Packet Capture 
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Network Topology 


The Network Topology view in Network watcher provides a diagrammatic view of the 
resources in your virtual network. It is not a diagnostic or alerting tool. It is a quick and easy 
way to review your network resources and manually check for misconfiguration. 


A limitation of the tool is that it only shows the topology within a single virtual network. All 
common network resource types are supported, although for application gateways, only the 
backend pool connected to the network interface is shown. 


To use Network Topology via the Azure portal, open Network Watcher and click Topology. 
Select the resource group and virtual network, and the topology will be shown. 


An example topology is given in Figure 4-90. 
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FIGURE 4-90 Using Network Watcher Network Topology 


The underlying topology data can be downloaded in JSON format via Azure PowerShell or 
the Azure CLI, using the Get-AzNetworkwWatcherTopology cmdlet or the az network watcher show- 
topology command, respectively. 


Troubleshoot external networking 


We have already seen how the Network Performance Monitor provides a range of powerful 
features to monitor and diagnose issues across both Azure and on-premises networks, includ- 
ing detailed analytics for ExpressRoute connections. 

Another pair of useful tools to investigate issues with external networks are the Connection 
Monitor and Connection Troubleshoot tools in Network Watcher. These are discussed in the 
next section: “Troubleshoot virtual network connectivity.” 
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In this section, we discuss VPN Troubleshoot, which is designed specifically to diagnose 
problems with VPN connections. 


Remember, for simple validation that a VPN connection is working, it's also always worth- 
while trying to connect between VMs on either end of VPN tunnel using standard tools such as 
tcping. 


VPN Troubleshoot 


The VPN Troubleshoot feature in Network Watcher provides automated diagnostics of Azure 
VPN gateways and connections. The results provide a detailed report on gateway health and 
connection health, providing accurate pointers regarding common issues that might occur 
when enabling informed remediations. 


VPN Troubleshoot only supports route-based VPN gateways (not policy-based gateways or 
ExpressRoute gateways). It supports both IPsec Site-to-Site VPNs and VNet-to-VNet connec- 
tions; it does not support ExpressRoute connections or Point-to-Site connections. 


During the troubleshooting process, logs are written to a storage account. This account 
must be created before starting the troubleshooting process. 


To use VPN Troubleshoot via the Azure portal, open Network Watcher and click VPN 
Troubleshoot. Select the storage container for the troubleshooting logs and then select which 
VPN resources to troubleshoot. Finally, click Start Troubleshooting. 


The troubleshooting process takes a few minutes to run. Once complete, the results will be 
shown at the bottom of the page. 


Troubleshoot virtual network connectivity 


A number of the tools we have already seen can be useful for troubleshooting connectivity 
issues between and within virtual networks. Network Watcher offers two more tools that are 
particularly useful in this scenario: Connection Troubleshoot and Connection Monitor. 


Connection Troubleshoot 


Connection Troubleshoot is a Network Watcher feature designed to allow you to test the con- 
nectivity between an Azure VM or an App Gateway and another endpoint—either another 
Azure VM, or an arbitrary Internet or Intranet endpoint. This diagnostic tool can identify 

a range of problems, including guest VM issues, such as guest firewall configuration, low 
memory or high CPU, Azure configuration issues such as Network Security Groups blocking 
traffic, or routing issues diverting traffic. It can also diagnose other network issues, such as DNS 
failures. 


To use Connection Troubleshoot from the Azure portal, open Network Watcher and then 
click Connection Troubleshoot. Specify the source VM, then specify the destination, either as 
another VM or by giving a URI, FQDN, or IPv4 address. Specify the protocol to use (either TCP 
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or ICMP). For TCP, you can specify the destination port, and, under Advanced Settings, the 
source port. An example configuration is shown in Figure 4-91. 


Home 
Network Watcher | Connection troubleshoot 
Microsoft 
| Ø Search (Ctri+/) | « 
Network Watcher Connection Troubleshoot provides the capability to check a direct TCP connection 
e Overview from a virtual machine (VM) to a VM, fully qualified domain name (FQDN), URI, or IPv4 address. To start, 
choose a source to start the connection from, and the destination you wish to connect to and select 
i "Check". 
Monitoring Learn more 
dy Topology 
Source 


E Connection monitor 7 
Subscription * © 


§% Connection monitor (Preview) [ Visual Studio Ultimate with MSDN v 
@ Network Performance Monitor nsina 
| Ref-R 7 
Network diagnostic tools | Deine RS 
E 1P flow verify Source type * 
a | Virtual machine v 
‘RB Next hop 
ð Virtual machine * 
Effective security rules P x p 
| ExamRef-Jump v 
® VPN troubleshoot = 
Destination 


‘B® Packet capture 
ad e O Select a virtual machine ®© Specify manually 


KA Connection troubleshoot 
URI, FQDN or IPv4 * 


Metrics | azure.microsoft.com s 


= Usage quotes Probe Settings 


Lem Protocol © 
z @tce O icmp 
El NSG flow logs oS ~ 

Destination port * © 


a Diagnostic logs | 443 v 


@ Traffic Analytics 
“ Advanced settings 


Source port © 


Checking connectivity,...0« 


FIGURE 4-91 Network Watcher Connection Troubleshoot configuration 


The test takes a few minutes to run. Upon completion, the results will be shown at the 
bottom of the page. An example output is shown in Figure 4-92. 


Connection Troubleshoot is also available via PowerShell using the Test-AzNetwork 
WatcherConnectivity cmdlet and via the Azure CLI using the az network watcher az network 
watcher test-connectivity command. 
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2 
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3 


Probes Sent 


66 
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FIGURE 4-92 Network Watcher Connection Troubleshoot results 


Connection Monitor 


The Connection Monitor in Network Watcher is similar to Connection Troubleshoot, in that it 
uses the same mechanism to test the connection between an Azure VM or App Gateway and 
another endpoint. The difference is that Connection Monitor provides ongoing connection 
monitoring, whereas Connection Troubleshoot only provides a point-in-time test. 


Data from Connection Monitor is surfaced in Azure Monitor. Charts show key metrics such 
as round-trip time and probe failures. Azure Monitor can also be used to configure alerts, 
triggered by connection failures or a drop in performance. 


To use Connection Monitor via the Azure portal, open Network Watcher and click 
Connection Monitor. A list of active monitored connections is shown. Click +Add to create 
anew monitored connection and then fill in the connection settings. The settings are almost 
the same as for Connection Troubleshoot. Also, you will need to specify the probing interval in 
seconds. An example is shown in Figure 4-93. 


The monitored connection will be listed on the Connection Monitor blade within Network 
Watcher. Click a monitored connection to open the results panel, as shown in Figure 4-94. 
The chart shows average round-trip time and percentage of probe failures. Click the chart to 
view the data in Azure Monitor. From there, alerts can be configured based on these metrics 
exceeding thresholds you define. The table below the chart shows the current connection 
status—clicking each line provides further details about the status, which is similar to how the 
results obtained from Connection Troubleshoot are shown. 
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FIGURE 4-94 Network Watcher Connection Monitor status 


Skill 4.5: Integrate an on-premises network 
with an Azure virtual network 


Many Azure deployments require connectivity between the on-premises network and the 
Azure VNet. This integrated network is called a hybrid network. 
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Hybrid networks are commonly used for Intranet applications, which may be hosted in 
Azure but only accessed from the on-premises network. They are also used by Azure applica- 
tions that require access to an on-premises resource, such as a database. 


Hybrid networks provide connectivity between the private IP space of the on-premises 
network and the private IP space of the Azure VNet. The VNet can be thought of as an exten- 
sion of the existing on-premises network. The concept is similar to extending the on-premises 
network to a new office location. 


This section covers how to: 
m Create and configure Azure VPN Gateway 
m Create and configure Azure ExpressRoute 
= Configure Azure Virtual WAN 


Create and configure Azure VPN Gateway 


A virtual network gateway allows you to create connections from your virtual network to other 
networks. When creating a gateway, you must specify if it will be used for VPN connections or 
ExpressRoute connections. Virtual network gateways used for VPN connections are called a VPN 
gateway, while those used for ExpressRoute connections are called ExpressRoute gateways. 


Earlier in this chapter we saw how VPN gateways can be used to connect one Azure VNet to 
another. They can also be used to create VPN tunnels between Azure VNets and on-premises 
networks—this is called a site-to-site VPN. They can also be used as a hub for point-to-site net- 
works, where individual machines connect to an Azure VNet via the VPN client on the machine. 


Gateway subnets 


VPN gateways can only be deployed to a dedicated gateway subnet within the VNet. A 
gateway subnet is a special type of subnet that can only be used for virtual network gateways. 
Under the hood, the VPN gateway is implemented using Azure virtual machines (these are not 
directly accessible and are managed for you). While the minimum size for the gateway subnet 
is a CIDR /29, the Microsoft-recommended best practice is to use a CIDR /27 address block to 
allow for future expansion. 


A VPN connection between an on-premises network and an Azure VNet can only be 
established if the network ranges do not overlap. Network address ranges should be planned 
carefully to avoid restricting future connectivity options. 


Gateway SKUs 


VPN Gateways are available in several pricing tiers, or SKUs. The correct tier should be chosen 
based on the required network capacity, as shown in Table 4-10. 
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TABLE 4-10 Comparison of VPN Gateway Pricing Tiers 


SKU Max Site-to-Site VPN Connections Throughput 
Basic 10 100 Mbps 
VpnGw1 and VpnGwiAz 30 650 Mbps 
VpnGw2 and VpnGw2Az 30 1Gbps 
VpnGw3 and VpnGw3Az 30 1.25 Gbps 


NOTE RESIZING VPN GATEWAYS 


You can resize a gateway between the VpnGw1, VpnGw2, and VpnGw3 tiers. You cannot, how- 
ever, resize a Basic tier gateway. 


BGP 


Border Gateway Protocol (BGP) is a standard used in the Internet to exchange routing infor- 
mation between networks. BGP can be optionally enabled on your VPN gateway, if the on- 
premises gateway also supports it. If used, it enables the VPN gateway and the on-premises 
gateway to exchange routing information automatically, avoiding the need to configure routes 
manually. 


BGP also enables high availability redundant connections (see next section) advanced fea- 
tures such as transit routing across multiple networks. It is also used where a VPN connection is 
used as a failover in case the primary connection, using ExpressRoute, were to fail. 


High Availability 

By default, each VPN gateway is deployed as two VMs in an active-standby configuration. To 
reduce downtime in the event the active instance fails, an active-active configuration can also 
be used (not supported for Basic SKU gateways). In this mode, both gateway instances have their 
own public IP addresses, and two connections are made to the on-premises VPN endpoint. 


Dual on-premises VPN endpoints can also be used. This requires BGP to be enabled and 
works with both active-standby or active-active VPN gateways. Combining dual on-premises 
endpoints with active-active VPN gateways provides a fully redundant configuration, avoiding 
single points of failure, as shown in Figure 4-95. In this configuration, traffic will be distributed 
over all four VPN tunnels. 

For increased resilience to data center—level failures, virtual network gateways can be 
deployed to availability zones. This requires the use of dedicated SKUs, called VonGwiAz, 
VpnGw2Az, and VpnGw3Az. Both zone-redundant and zone-specific deployment models are 
supported, the choice being inferred from the associated public IP address rather than being 
specified explicitly as a gateway property. 
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FIGURE 4-95 Dual on-premises VPN endpoints connected to active-active VPN gateways 


Create a VPN Gateway using the Azure portal 


Before creating the VPN gateway, first create the gateway subnet. Using the Azure portal, navi- 
gate to your virtual network and click the Subnets link under Settings to open the Subnets 
blade. Click the +Gateway Subnet button and assign an address space using a /27 CIDR, as 
seen in Figure 4-96. Do not modify the other subnet settings. 


Add subnet x 


f-VNet 


Address range (CIDR block) * © 
10.1.5.0/27 
10.1.5.0 - 10.1.5.317 (27 + 5 Azure reserved addresses) 


NAT gateway © 


None v | 


Network security group 


None v | 
Route table 
None v| 


Service endpoints 
Services © 


0 selected v 


Subnet delegation 


Delegate subnet to a service © 


) 
None w| 


FIGURE 4-96 Adding a Gateway Subnet to a virtual network 


Next, provision a VPN gateway as follows. From the Azure portal, click +Create A 
Resource > Networking > Virtual Network Gateway. Complete the Create Virtual 
Network Gateway’ blade as follows: 


m Name. Choose VNet-GW. 
= Gateway type. Choose VPN. 
= VPN Type. Choose Route-Based. 
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m SKU. Choose VpnGwt.Generation. Choose Generation1. 

m Virtual Network. Choose your VNet. 

= Gateway subnet address range. Choose based on your configuration. 
= Public IP Address. Choose Create New or Use Existing. 

m Location. This is the same as your VNet. 


Do not select the checkboxes for Enable Active-Active Mode or Configure BGP ASN. 
Figure 4-97 shows the completed gateway settings. 


Home > New > Virtual network gateway 


Create virtual network gateway 


Basics Tags Review + create 


Azure has provided a planning and design guide to help you configure the various VPN gateway options, Leam more. 


Project details 


Select the subscription to manage deployed resources and costs, Use resource groups like folders to organize and manage all 
your resources. 


Subscription * | Visual Studio Ultimate with MSDN v 


Resource group © ExamRef-RG (derived from virtual network's resource group) 


Instance details 


Name * | VNet-Gw 7 

Region * | (Canada) Canada Central v 

Gateway type * © © VPN O ExpressRoute 

VPN type * © ©@) Route-based ©) Policy-based 

sku* © | VpnGw1 v] 
Generation © | Generation v] 


Virtual network * © ExamRef-VNet v 


Create virtual network 


o Only virtual networks in the currently selected subscription and region are listed. 


Gateway subnet address range * © 10.1.5.0/27 v 


10.1.5.0 - 10.1.5.31 (32 addresses) 


Public IP address 


Public IP address * © O Create new (@) Use existing 

Choose public IP address * l ExamRef-ip v 
Enable active-active mode * © © Enabled @) Disabled 

Configure BGP ASN * © © Enabled @ Disabled 


Azure recommends using a validated VPN device with your virtual network gateway. To view a list of validated devices and 
instructions for configuration, refer to Azure’s documentation regarding validated VPN devices. 


Previous | Next: Tags > Download a template for automation 


FIGURE 4-97 Creating an Azure VPN Gateway 
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NOTE GATEWAY SUBNETS 


When creating the gateway subnet, there is no special parameter or cmdlet name to denote 
that this is a gateway subnet rather than a normal subnet. The only distinction that identifies a 
gateway subnet is the subnet name, GatewaySubnet. 


Create and configure Azure ExpressRoute 


ExpressRoute is a secure and reliable private connection between your on-premises network 
and the Microsoft cloud. The connection is provided mostly by a third-party network provider 
who has partnered with Microsoft to offer ExpressRoute services. This third party is known as 
the ExpressRoute provider. Alternatively, with ExpressRoute Direct, you can connect directly to 
the MSEE. 


Unlike a Site-to-Site VPN, network traffic using ExpressRoute uses your provider's network 
and does not pass over the Internet. Therefore, the latency and bandwidth for an ExpressRoute 
circuit is more predictable and stable because traffic stays on your provider's network. (An 
ExpressRoute connection is called a circuit.) 


Another key difference between ExpressRoute connections and Site-to-Site VPN con- 
nections is that Site-to-Site VPN connections only provide connectivity to your Azure VNet, 
whereas ExpressRoute provides connectivity to all Microsoft cloud services. This includes Azure 
VNets, Azure platform services (such as CosmosDB), and Microsoft services outside of Azure 
such as Office 365 and Dynamics 365. 


Connectivity models 


ExpressRoute connectivity can be established in one of three ways. The capabilities and fea- 
tures of ExpressRoute are the same in each case. 

m If your network already has a presence at a co-location facility with a cloud exchange, 
your co-location provider can establish a virtual cross-connection with the Microsoft 
Cloud. This provides either a layer 2 or a managed layer 3 connection. 

m Your connectivity provider may be able to provide a point-to-point ethernet connection 
from their network to your on-premises network. Again, this approach offers either a 
layer 2 or managed layer 3 connection. 

m Finally, your existing IPVPN WAN provider may be able to integrate ExpressRoute into 
your WAN, if they are registered as an ExpressRoute provider. In this case, your provider 
will typically offer managed layer 3 connectivity. 


These connectivity options are shown in Figure 4-98. 
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FIGURE 4-98 ExpressRoute connectivity models 


Circuits and peering 


An ExpressRoute circuit is an Azure resource used to represent the logical connection between 
your on-premises network and Microsoft. Each circuit is identified by a GUID called a service 
key (s-key), which is shared with your connectivity provider. 


Each circuit has a fixed bandwidth, and a specific peering location. The available bandwidth 
options are 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, and 10 Gbps. 
This bandwidth can be either metered or unlimited: 


= Metered. All inbound data transfer is free of charge, and all outbound data transfer is 
charged based on a predetermined rate. Users are also charged a fixed monthly port fee 
(based on high-availability dual ports). 


m Unlimited. All inbound and outbound data transfer is free of charge. Users are 
charged a single fixed monthly port fee (based on high-availability dual ports). 

New ExpressRoute circuits offer two peering options, also known as routing domains: 
Private or Microsoft Peering. Each circuit can use either one or both peerings. These peerings 
are shown in Figure 4-99. 

= Azure Private Peering. Provides connectivity over the Intranet address space into 

your Azure virtual network. This peering is considered a trusted extension of your core 
network into Azure. 


= Microsoft Peering. Provides connectivity over the Internet address space into 
Microsoft services such as Office 365, Dynamics 365, and Internet-facing endpoints of 
Azure platform (PaaS) services. 


Older circuits may use a third peering model, Azure Public Peering, which provides 
connectivity to Azure PaaS services only. This is deprecated for new circuits. 
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FIGURE 4-99 ExpressRoute peering options 


Each ExpressRoute circuit has two connections from your network edge to two Microsoft 
edge routers, configured using BGP. Microsoft requires dual BGP connections from your edge 
to each Microsoft edge router. You can choose not to deploy redundant devices or ethernet 
circuits at your end; however, connectivity providers use redundant devices to ensure that your 
connections are handed off for high availability to Microsoft in a redundant manner. 

Figure 4-100 shows a redundant connectivity configuration. 
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FIGURE 4-100 Multiple cities connected to ExpressRoute in two Azure regions 


Global availability and ExpressRoute Premium 


ExpressRoute is only available in certain cities throughout the world, so it is important to check 
with your local providers to determine availability. For a list of ExpressRoute providers and their 
supported locations, see: https://docs.microsoft.com/azure/expressroute/expressroute-locations. 

By default, each ExpressRoute circuit enables connectivity to Microsoft data centers within a 
geopolitical region. For example, a connection in Amsterdam gives you access to all Microsoft 
data centers in Europe. 
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With the ExpressRoute Premium add-on, connectivity is extended to all Microsoft data 
centers worldwide. This add-on also raises the number of routes permitted for the Azure 
Private Peering from 4,000 to 10,000. It also increases the number of virtual networks that can 
be connected to each ExpressRoute circuit, from 10 to between 20 and 100 (depending on the 
bandwidth of the circuit). 


Creating an ExpressRoute circuit 


To create an ExpressRoute circuit using the Azure portal, click +Create A Resource > 
Networking, and then choose ExpressRoute to open the Create ExpressRoute blade (see 
Figure 4-101). Select the Subscription, Resource Group, and Resource Location and specify 
the Name of the ExpessRoute circuit. 


NOTE EXPRESSROUTE LOCATIONS 


When creating an ExpressRoute circuit, you must specify both the peering location and the 
location of the ExpressRoute circuit resource. There are independent settings, although 
Microsoft suggests the best practice is for them to be nearby. 


On the next screen, on the Configuration blade, select the Port Type, Provider, and 
Peering Location, and then specify the Bandwidth, Billing Model, and whether the classic 
operations are required (see Figure 4-102). 


Home > New > ExpressRoute 


Create ExpressRoute 


Basics Configuration Tags Review + create 


Use Azure ExpressRoute to create private connections between Azure datacenters and infrastructure on your premises or 
in a colocation environment. Establish connections to Azure at an ExpressRoute location, such as an Excahnge provider 
facility, or directly connect to Azure from your existing WAN network, such as a multiprotocol label switching (MPLS) VPN, 
provided by a network service provider 


earn more about Express Route circuits 


Project details 


Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and 
manage all your resources, 


Subscription * C | Visual Studio Ultimate with MSDN v | 
Resource group * © ExamRef-RG v] 
Create new 


Instance details 


Region * © Canada Central v 
Name * © l ExamRef-ER z] 


FIGURE 4-101 Creating an ExpressRoute circuit 
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Home > ExpressRoute circuits 
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ExpressRoute circuits can connect to Azure through a service provider or directly to Azure at a global peering location 
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Port type * (O) Provider 
O Direct 
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Billing model * © @ Metered 
O Unlimited 
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@ No 


FIGURE 4-102 Creating an ExpressRoute circuit 


NOTE EXPRESSROUTE BILLING 


Billing for the circuit begins immediately upon resource creation and does not depend upon 
completing the configuration with the ExpressRoute provider. ExpressRoute circuits can be 
expensive, so care is advised. It is a good practice to restrict the ability to create ExpressRoute 
circuits using Azure Policy. 


The ExpressRoute circuit will be created. The resource overview blade will show the provider 
status as Not Provisioned, and also shows the service key. Copy the service key and share it 
with your ExpressRoute provider. The provider status will change to Provisioning and finally to 
Provisioned once the provider setup is complete. 


Next, you need to provision either Azure Private Peering or Microsoft Peering for your 
circuit. From the ExpressRoute circuit blade, click Peerings, and select the type of peering to 
configure. Fill in the BGP ASN, and subnets as promoted, and then save the configuration. 


For Microsoft Peering, you may see the status Validation Needed for the advertised public 
IP prefixes. This is because Microsoft needs to validate that you own these IP prefixes before 
updating their routing to use the ExpressRoute connection. In this case, use the Azure portal to 
raise a support ticket to perform the validation. 
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Connecting virtual networks to ExpressRoute 


Virtual networks are connected to ExpressRoute circuits using an ExpressRoute gateway. An 
ExpressRoute gateway is a virtual network gateway, created with the ExpressRoute option 
(rather than the VPN option, used to create VPN gateways). Just as with VPN gateways, the 
ExpressRoute gateway must be created in the gateway subnet of the virtual network. 


Once the ExpressRoute gateway is created, it can be connected to the ExpressRoute cir- 
cuit. The process is the same as adding a VPN connection to a VPN gateway, except that the 
ExpressRoute connection type is selected, and the ExpressRoute circuit specified. The circuit must 
be enabled by your connectivity provider and have Azure Private Peering enabled beforehand. 


Verify and troubleshoot on-premises connectivity 
To verify connectivity or troubleshoot connectivity between on-premises networks and Azure: 


m Verify the status and configuration of all VPN connections, virtual network gateways, 
ExpressRoute connections, or ExpressRoute circuits involved. 


m For ExpressRoute, try to reset a failed circuit using the Get-AzExpressRouteCircuit and 
Set-AzExpressRouteCircuit PowerShell cmdlets, as described at: https://docs.microsoft. 
com/azure/expressroute/reset-circult. 


m Try to connect between an on-premises server and an Azure VM, and vice-versa, such as 
using SSH or TCP. 


m Use standard network tools such as tcping or tracert to confirm connectivity between 
networks. 


m Use the Azure network diagnostics tools described in Skill 4.5. 


Configure Azure Virtual WAN 


Azure Virtual WAN is a combination of many networking, security, and routing functionalities 
together to provide a single operational interface for various networking solutions. Azure 
Virtual WAN facilitates Point-to-site, Site-to-site, ExpressRoute connectivity and Azure Firewall 
configuration all at one place. The Azure Virtual WAN can be leveraged to either use one of the 
scenarios or use multiple of them. The Virtual WAN leverages hub-and-spoke topology. The 
hubs are nothing, but an Azure regions and spokes are considered as individual endpoints. 

The hubs relate to each other using Microsoft's backbone network wherein for spoke connec- 
tivity various VPN devices are used. Microsoft has partnered with many VPN solution providers 
with ability to export the device info, configure and establish connectivity with Azure 

Virtual WAN. 


Create Azure Virtual WAN using Azure portal 


To create Azure Virtual WAN in Azure portal, click +Create A Resource, search for Virtual 
WAN, then click Virtual WAN. This will open the Create WAN blade, as shown in Figure 4-103. 
Select the Subscription, Resource Group, Location, and Type. Lastly, specify the WAN Name. 
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Home > New > Virtual WAN 


Create WAN 
Basics Review + create 
The virtual WAN resource represents a virtual overlay of your Azure network and is a collection of multiple resources, Leam 
Project details 
Subscription * Visual Studio Ultimate with MSDN 


Resource group * 


Virtual WAN details 


Resource group location * 


Name * 


Type Standard v 


FIGURE 4-103 Creating an Azure Virtual WAN 


NOTE BASIC VS STANDARD WAN 


With Basic WAN, you can only create Basic Hubs. Basic Hubs are only capable of creating site- 
to-site connections. For any other connectivity, it is recommended to use Standard WAN. 


Once created, Virtual WAN will look like Figure 4-104. Each hub will be represented on the 
graph once created. You can manage the configuration and connectivity using various options. 


A ExamRel- WAN + 


FIGURE 4-104 Overview page of Azure Virtual WAN 
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Create a Site-to-Site connection 
To establish site-to-site connectivity, follow these steps: 


1. Goto Virtual WAN created earlier, and under the Connectivity options, select Hubs > 
+ New Hub. 


2. You will need to specify the Location, Name, and Private Address Space for the hub 
on the Basics tab, as shown in Figure 4-105. Note that creating a hub with a gateway will 
take about 30 minutes. 


Home > VirtualWanDeployment | Overview > ExamRef-WAN | Hubs 


Create virtual hub 


Basics Site to site Point to site ExpressRoute Tags Review + create 


A virtual hub is a Microsoft-managed virtual network. The hub contains various service endpoints to enable connectivity from 
your on-premises network (vpnsite). The hub is the core of your network in a region, There can only be one hub per Azure 
region. When you create a hub using Azure portal, it creates a virtual hub VNet and a virtual hub vpngateway. Learn more 


Project details 


The hub will be created under the same subscription and resource group as the VWAN 


Virtual Hub Details 


Region * | Canada Central Vv | 
Name * SiteToSite-Hub va 
Hub private address space * © 10.1.0.0/16 v 


FIGURE 4-105 Basics blade while creating Virtual Hub for Azure Virtual WAN 


3. On the next screen, you can provide consent to create a site-to-site VPN gateway. Azure 
will auto populate the autonomous system number (known as the AS Number). You also 
need to select the Gateway scale units. The gateway scale unit is aggregated throughput 
of the gateway. If you select 1 Scale Unit—500 Mbps x 2, that means two instances will 
be deployed to provide high availability, each with maximum throughput of 500 Mbps. 
The proper sizing should be done to establish the right scale unit value for your sites. 
See Figure 4-106. 


322 CHAPTER 4 Configure and manage virtual networking 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


Create virtual hub 


Basics Site tosite Point to site ExpressRoute Tags Review + create 


You will need to enable Site to site (VPN gateway) before connecting to VPN sites. You can do this after hub creation, but doing 
it now will save time and reduce the risk of service interruptions later. Learn more 


Do you want to create a Site to site (VPN K Yes ] No 
gateway)? 


AS Number C [ 65515 D 


*Gateway scale units © 1 scale unit - 500 Mbps x 2 v 


FIGURE 4-106 Site to site blade while creating Virtual Hub for Azure Virtual WAN 


4. Once the hub is created, you can create sites based on your physical locations. These 
sites will have their own endpoint to communicate to the Hub. The sites can be cre- 
ated from Virtual WAN, under Connectivity, VPN Sites -> + Create site. There are 
few additional steps listed below which needs to be followed to establish site-to-site 
connectivity. 


5. Connect a VPN site to the hub you created. 

6. Connect all your VNets to the hub you created. 

7. Download the VPN configuration file and configure your on-premises VPN device. 
8. Configure your VPN gateway (optional only for custom BGP IP Address). 


Further details can be found at https://docs.microsoft.com/en-us/azure/virtual-wan/virtual- 
wan-site-to-site-portal. 


Create a User VPN connection 
To establish point-to-site connectivity, follow these steps: 


1. Go to the Virtual WAN we created earlier, and under Connectivity Options, select User 
VPN Configurations > + Create User VPN Config. 


2. You will be asked to specify configuration name; select the tunnel type authentication 
method and supply the certificate name and Base-64—encoded X.509 certificate data. 


3. Now, go back to the Virtual WAN you created earlier, and under Connectivity Options, 
select Hubs > + New Hub. 


4. You will be asked to specify the Location, Name, and Private Address Space For The 
Hub on the Basics tab, as previously shown in Figure 4-105. Please note that creating a 
hub with a gateway will take about 30 minutes. 
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5. Onthe Point To Site tab, you can provide consent to create a point-to-site user VPN 
gateway. You need to select the point-to-site configuration that you created earlier. You 
also need to select the Gateway Scale Units and then supply the client address pool 
CIDR range for the remote users and custom DNS server, as shown in Figure 4-107. 


Home Resource groups ExamRef-RG ExamRef-WAN | Hubs 


Create virtual hub 


Basics Site to site Point to site  ExpressRoute Tags Review + create 


If you plan to use this hub with Point-to-site connections, you will need to enable Point-to-site gateway before connecting 
end-user devices. You can do this after hub creation, but doing now will save time and reduce the risk of service interruptions 
later. Learn more 


Do you want to create a Point to site Ue Yes J No 
VPN gateway)? i 


*Gateway scale units © 1 scale unit - 500 Mbps x 2,supports 500 clients v 


Point to site configuration * © | ExamRefUserConfig v 
Create new 


Client address pool 


10.1.0.0/24 z| ® 


[ ie. 10.0.0.0/24 al 


Custom DNS Servers 


208.67.222.222 v| ® 


| | 


@ At the most 5 custom ONS servers can be provided 


FIGURE 4-107 Site to site blade while creating Virtual Hub for Azure Virtual WAN 


6. Once the hub is created, you can download the virtual WAN user VPN profile by access- 
ing Virtual WAN, choosing Connectivity > User VPN Configurations, selecting the 
User VPN config created earlier, and clicking Download Virtual WAN User VPN 
Profile. This profile can be used to configure individual clients. 


Further details can be found at https://docs.microsoft.com/en-us/azure/virtual-wan/ 
virtual-wan-point-to-site-portal. 


Create an ExpressRoute association 


To establish connectivity using ExpressRoute circuit, go to the Virtual WAN created in the 
“Create Azure Virtual WAN using Azure portal” section; in the Connectivity options, select 
Hubs > + New Hub. You will be asked to specify a Region, Name, and Hub Private Address 
Space for the hub on the Basics tab, as shown earlier in Figure 4-105. Note that creating a hub 
with a gateway will take about 30 minutes. 
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On the ExpressRoute tab, you can provide consent to create an ExpressRoute gateway. You 
also need to select the Gateway Scale Units, as shown in Figure 4-108. 


Home Resource groups ExamRef-RG ExamRef-WAN | Hubs 


Create virtual hub 


Basics Site to site Point to site ExpressRoute Tags Review + create 


if you plan to use this hub with ExpressRoutes, you will need to enable an ExpressRoute gateway before connecting to 
ExpressRoute circuits. You can do this after hub creation, but doing it now will save time and reduce the risk of service 
interruptions later. Learn more 


Do you want to create an ExpressRoute c Yes ] No ) 
gateway? © 


*Gateway scale units 1 scale unit - 2 Gbps 


FIGURE 4-108 ExpressRoute blade while creating Virtual Hub for Azure Virtual WAN 


1. Once a hub is created, follow these steps to establish site-to-site connectivity. 
2. Create a gateway in the hub you created. 

3. Connect all your VNets to the hub you created. 

4. Connect your ExpressRoute circuit to the gateway. 


Further details can be found at https://docs.microsoft.com/en-us/azure/virtual-wan/ 
virtual-wan-expressroute-portal. 


Thought experiment 


In this thought experiment, apply what you have learned about this objective. You can find 
answers to these questions in the next section. 


Your company, Contoso, wants to lift and shift an existing HR application to Azure. The 
application architecture comprises two web servers, and a database tier implemented using 
three servers in a SQL Server Always-On Availability Group. The web application uses an in- 
memory session state that requires each user to be consistently routed to the same web server 
instance. The application should be accessible only to the company Intranet, and not exposed 
to the Internet. 


In addition, Contoso has already migrated several other applications to Azure. A recent 
finance review, however, has highlighted the increasing of Azure spend, and your manager 
has identified the duplication of infrastructure components (such as domain controller virtual 
machines) across each migrated application as a potential area where savings can be made. 
Each of these applications is managed by a separate team, and the team should have adminis- 
trative access only to their application. 

1. How should the web tier be load-balanced? 


2. How should the database tier be load-balanced? 
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How can you restrict network traffic between application tiers, and prevent on-premises 
uses from having direct access to the database tier? 


How should the application be integrated into the company Intranet, avoiding exposing 
an Internet endpoint? 


How can you reduce costs by consolidating duplicated components? 


How does your design maintain administrative separation between applications? 


Thought experiment answers 


This section contains the solution to the thought experiment for the chapter. 


1. 


The web tier should be load-balanced using Azure Application Gateway. This option is 
chosen in preference to Azure Load Balancer because it supports cookie-based session 
affinity, which enables each user to be consistently routed to the same backend server. 
The App Gateway will be deployed in a separate subnet of the same virtual network that 
is used to host the web tiers and database tiers of the HR application (each tier uses a 
separate subnet). NSGs associated with each subnet are used to restrict network flows, 
such as to ensure that only the web tier has access to the database. 


The database tier should be load balanced using Azure Load Balancer. The Load 
Balancer will be configured with an internal (Intranet) IP address only. Because the Load 
Balancer is being used as a SQL Server Always-On Availability Group Listener, the 
Floating IP (Direct Server Return) option should be enabled. 


Network security groups should be used to restrict inbound and outbound traffic for 
the subnets used by each application tier. Optionally, application security groups can 
be used to simplify the IP address management and reduce the number of subnets and 
NSGs required. 


Connectivity between the application and the on-premises network can be achieved 

in two ways. The simplest option is to establish a Site-to-Site VPN between the on- 
premises network and the Azure virtual network. This creates an encrypted tunnel (over 
the Internet) linking the two networks together. A compatible om-premises VPN device 
with a static Internet-facing IPv4 address is required, together with a VPN gateway in 
Azure (hosted in a dedicated gateway subnet). Alternatively, an ExpressRoute connec- 
tion can be used. This provides a more reliable and consistent connection over a dedi- 
cated connection from a connectivity provider. In this case, an ExpressRoute gateway is 
used to connect the ExpressRoute circuit to the Azure virtual network. 


A dedicated VNet should be created to contain common services (such as Active Direc- 
tory servers), which are consumed by multiple applications. Each application should 
remain in its own VNet, which should only contain application-specific components. The 
application VNets should be peered with the shared services VNet, in a hub-and-spoke 
configuration (with the shared services VNet as the hub). This peering will give the appli- 
cations network access to the shared components. 
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Because each application retains its own VNet containing all application-specific com- 
ponents, there is no loss of isolation or control for the application owners. These appli- 
cation components can even be deployed in separate subscriptions, making separate 
role-based access and billing straightforward. Peering of Resource Manager VNets is 
supported across subscription boundaries. 


Chapter summary 


This chapter covered many of the advanced networking features available in Azure. Below are 
some of the key takeaways from this chapter. 


Azure virtual networks (VNets) are isolated networks using a private IP address space. 
Virtual networks are divided into subnets, which allow you to isolate workloads. 


Azure reserves the first 4 and last IP address in each subnet. The first IP address 
allocated to VMs is therefore typically the .4 IP address. 

Private IP addresses for a VM are assigned from a subnet and configured as settings on 
the IP configuration of a network interface resource. 

A VM can be associated with one or more network interfaces, and each network 
interface can contain multiple IP configurations. 

Private IP addresses support two allocation methods: dynamic or static. Dynamic 

IP addresses are released when the VM is stopped (deallocated). 

Public IP addresses are managed as a standalone resource, which can be associated with 


a network interface IP configuration. 


Public IP addresses support two pricing tiers (SKUs). The Basic tier supports dynamic and 
static assignment and provides open connectivity (which can be restricted using NSGs). 
The Standard tier supports zone-redundant deployments, use static allocation only, and 
is closed by default (access is enabled using NSGs). 


User-defined Routes (UDRs) change the default behavior of subnets allowing you to 
direct outbound traffic to other locations. Typically, traffic is sent through a virtual 
appliance such as a firewall. 


If a UDR is used to send traffic to a virtual appliance, IP forwarding must be enabled on 
the NIC of the virtual appliance VM. 


Routing outbound Internet traffic via a VPN connection to a network security device is 
known as forced tunneling. 


The effective routes for each network interface can be reviewed to help diagnose 
routing issues. 


VNets can be connected using either VNet peering or VNet-to-VNet VPN connections. 
To connect two VNet, they must have non-overlapping IP address spaces. 


Virtual networks can be connected using VNet peering. This is supported both within a 
region or across regions. 
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By default, peered VNets appear and perform as a single network. There is an option 
to limit connectivity, in which case NSG rules must be used to define the permitted 
connections. 


VNet peering allows VMs to see each other as one network, but their relationships are 
non-transitive. If VNetA and VNetB are peered and VNetB and VNetC are peered VNetA 
and VNetC are not peered. 


A common approach is to use a hub-and-spoke network architecture, in which separate 
spoke VNets are used by each application, peered to a hub VNet containing a network 
virtual appliance (NVA). The peering connections must enable Allow Forwarded Traffic. 


Using VNet peering to provide access to a central VNet containing shared services, such 
as Active Directory domain controllers, is known as service chaining. 


Alternatively, virtual networks can be connected using a VNet-to-VNet VPN connection. 


A virtual network gateway can be used to create VPN connections between virtual 
networks (and is then called a VPN gateway). 


The size of the VPN gateway should be chosen based on the throughput required. 
The GatewaySubnet is a special subnet that is only used for virtual network gateways. 


A VPN gateway can be shared by peered VNets. The peering connections must enable 
the settings to Use Remote Gateway (on the peering toward the gateway) and Allow 
Gateway Transit (on the peering from the gateway). 


Both global VNet peering and VNet-to-VNet VPN connections route traffic between 
Azure regions over the Microsoft backbone network, not the public Internet. 

Azure DNS provides an authoritative DNS service for hosting Internet-facing domains. 
DNS zones in Azure DNS must be delegated from the parent domain. This is achieved 


by setting up appropriate NS records in the parent domain, pointing to the name 
servers assigned by Azure DNS. 


DNS records in Azure DNS are managed using record sets, which are the collection of 
records with the same name and the same type. 

DNS records at the zone apex use the record name @. You cannot create records with 
the CNAME record type at the zone apex. 

Azure DNS Alias records allow DNS records to reference other Azure resources, such as 
a public IP address. 


DNS zone files are a standard format used to transfer DNS records between DNS sys- 
tems. DNS zone files can only be imported into or exported from Azure DNS by using 
the Azure CLI. 


Azure-provided DNS, also known as Internal DNS, provides VM-to-VM DNS lookups 
within a virtual network. 


Alternatively, a customer can implement their own DNS servers, which can be config- 
ured either at the VNet or the network interface level. 
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Azure DNS also supports private DNS zones, which can also be used to enable 
VM-to-VM DNS lookups. 


Network security groups are used to create firewall rules to control network flows. 
NSGs can be applied at the subnet level, or on individual VM network interfaces. 


Each NSG includes a list of default rules, which can be overridden using user-defined 
rules. Rules are applied in priority order (processing stops at the first rule matching the 
traffic in question). 


Source and destination IP address ranges in NSG rules can be specified explicitly using 
CIDR ranges. 


IP address ranges can also be specified using service tags which are platform short- 
cuts for the IP ranges for key Azure services. Commonly used service tags include 
VirtualNetwork, Internet, Azure Cloud, Storage, and SQL. 


IP address ranges can also be specified using application security groups (ASGs). ASGs 
allow NSG rules to be defined for groups of VMs without needing to allocate the VMs 
into separate subnets. 


Tools to help identifying the required NSG rules include service map and NSG flow logs. 


Effective security rules can be reviewed for each network interface. This allows you to 
see the exact IP ranges used by each service tag and ASG. 


Azure Firewall is a managed service which provides out of box network security to 
secure Azure resources. 


Azure Firewall allows us to create and configure application and network rules. Applica- 
tion rules are created with the list of fully qualified names which allowed to be accessed 
from a subnet. While network rules are combination of source and destination IP 
addresses along with their ports and protocols. 

The Azure Bastion service is provisioned within a Virtual Network within a separate 
subnet called AzureBastionSubnet. If you have multiple VNets in your environment, you 
will need to deploy Azure Bastion for each VNet separately. 

Azure Application Gateway is a type of Load Balancer which can manage traffic for web 
applications. The web traffic routing occurs at application layer (OSI layer 7). 

The Azure Application Gateway routes application web traffic to defined resources in a 
backend pool. 


Azure Load Balancer (ALB) is a fully managed, high performance load-balancing service 
for TCP and UDP traffic. It operates at the transport layer (OSI Layer 4). Unlike App 
Gateway, it does not have visibility into application-level traffic. 


ALB can be deployed with either a public (Internet) or private (Intranet) frontend 
IP address. 


ALB comes in two pricing tiers (SKUs): Basic or Standard. The Standard tier supports 
availability zones, larger and more flexible backend pools, and a number of other 
features. The Basic tier is free of charge. 
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An ALB load-balancing configuration comprises frontend IP configuration, backend 
pool, health probes, and load-balancing rule. 


ALB also supports port forwarding, using inbound NAT rules. This maps a specific 
frontend port to a specific backend port on a specific backend server. 


Network Performance Monitor provides monitoring for hybrid networks. It supports 
performance monitor (for monitoring connections between two endpoints), con- 
nectivity monitor (to monitor outbound connections to a given IP or FQDN), and 
ExpressRoute monitor to monitor ExpressRoute connections. 


Network Watcher is a central hub providing access to a wide range of networking tools 
in Azure. 


IP Flow Verify is a Network Watcher feature used to test if a given network flow is 
allowed in or out of an Azure VM. 


Next Hop is used to determine the next hop address and routing rule for a given 
network flow. 


Packet Captures enables network traffic on a given VM to be captured, either locally or 
to an Azure storage account. 


Network Topology creates a diagrammatic representation of the resources in your 
virtual network. 


VPN Troubleshoot provides automated, in-depth troubleshooting of VPN connections. 


Connection Troubleshoot allows you to test the connectivity between two Azure VMs, 
or between a VM and an arbitrary external endpoint. 


Connection Monitor enables long-term connection monitoring, using similar diagnos- 
tics as used by Connection Troubleshoot. 


Site-to-Site VPN connections provide connectivity between an on-premises network 
and an Azure virtual network, using an encrypted tunnel over the public Internet. 


VPN gateways are virtual network gateways deployed with gateway type VPN. They are 
used to terminate site-to-site VPN connections. 


Site-to-Site VPNs support BGP routing and active-active gateways and connections to 
enable high availability. 


A wide variety of physical (and software) devices are supported as the on-premises 
Site-to-Site VPN endpoint. The device must have an Internet-facing static IPv4 address. 


A local network connection is an Azure resource used to represent the on-premises VPN 
device and network in Azure. 


An ExpressRoute connection provides connectivity between an on-premises network 
an Azure virtual network, using a dedicated connection from a connectivity provider. 


You can connect to ExpressRoute either via your co-location facility provider, via a 
point-to-point ethernet connection, or by extending your IPVPN WAN. 


ExpressRoute provides Microsoft Peering (connectivity to Azure PaaS endpoints, and 
other Microsoft services) or Private Peering (connectivity to Azure virtual networks). 
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The former uses Internet address, and the latter uses Intranet addresses. Azure Public 
Peering, for Azure PaaS services only, is deprecated for new ExpressRoute circuits. 
ExpressRoute circuits provide different levels of bandwidth, from 50Mbps to 10Gbps. 
They also provide redundant connections. 

ExpressRoute circuits are connected to an Azure virtual network using an ExpressRoute 
gateway (a virtual network gateway of type ExpressRoute). 

By default, ExpressRoute provides connectivity to all Microsoft data centers in a given 
geopolitical region. The ExpressRoute Premium Add-On extends coverage to all data 
centers, globally. It also increases the number of private peering routes and the number 
of virtual networks, which can be connected to a circuit. 
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Monitor and back up 
Azure resources 


As you begin to deploy services into your Azure subscriptions, how the environment will be 
monitored is one of the first questions you will need to answer and to answer it you must 
think about all the services in your deployment. You will most likely have several services 
deployed, including Infrastructure-as-a-Service services (for example, virtual machines), 
which include compute, storage, and networking. And even without services deployed today, 
over time, you might have Platform-as-a-Service services for hosting applications. You will 
also be using the services that drive your virtual machines in more meaningful ways, such as 
implementing advanced configurations in Azure Storage and Azure Identity. 


You will need to account for all these services—along with the Azure platform itself—in 
your monitoring strategy. This includes all your infrastructure, applications, and networking. 


By developing a proactive monitoring strategy, you will be able to understand the 
operation of your environment at a component level, including resource health and resource 
spend. Implementing a robust strategy will help you increase your uptime through proactive 
notifications, so you can resolve issues before they become problems and optimize your 
resources for optimal performance, which allows you to increase your ROI with the services 
you deploy. 

As you develop your strategy, there are three areas you should consider: 


= Visibility into services and the Azure Platform. This is all about understanding 
how an application or set of services is performing across the board. You will need 
to understand what metrics you need to monitor and how those can be acted on in 
Azure through both alerts and visualizations in dashboards. 


= Deeper insights into applications. This is particularly true with service or depen- 
dency maps and advanced tracing. You may even use these insights to drive automa- 
tion and remediations within your environments. 


= Resource optimization. You need to understand which metrics are important 
to not just the health of your application, but also the effects on users or systems 
that consume those application. By using the visibility and insights you extract from 
the Azure platform, you can directly correlate the effects of remediations in your 
environment. 


Azure includes multiple services that perform specific roles for monitoring and 
optimization. It is critical that you understand both the out-of-the-box monitoring 
capabilities of Azure and the scenario-specific monitoring capabilities within the platform. 
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This section will focus on out-of-the-box monitoring and optimization through both Azure 
Monitor, as well as scenario-specific monitoring with Azure Monitor logs and log data that is 
stored in Log Analytics). 


Azure Backup is another critical service that enables simplified disaster recovery for virtual 
machines by ensuring that data is securely backed up and easily restorable. In this chapter, 
we'll also review how to implement and manage Azure backup and recovery solutions with an 
emphasis on the Azure Backup Service and Azure Site Recovery. 


Skills covered in this chapter: 
m Skill 5.1: Monitor resources by using Azure Monitor 


m Skill 5.2: Implement backup and recovery 


Skill 5.1: Monitor resources by using Azure Monitor 


Azure Monitor maximizes the availability and performance of your applications by delivering 

a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud 
and on-premises environments. It helps you understand how your applications are perform- 
ing and proactively identifies issues affecting them and the resources on which they depend. 
The Azure Monitor landing page provides a jumping off point to configure other more specific 
monitoring services, such as Application Insights, Network Watcher, Log Analytics, Manage- 
ment Solutions, and so on. Figure 5-1 shows some of the various data sources and how they are 
collected, either as metric or log data. The data is consumed, visualized, or acted on by various 
services in Azure. 


Azure Monitor 


Application Insights, 


Containers, Virtual k - 
Machines, Monitoring Visualize 
| 


FIGURE 5-1 Azure Monitor data sources for metric and log data and the ways you can act on the data 


Solutions Dashboards, Views, Power 


alls = BI, Workbooks 
Metric Analysis, Log 
L 
Analytics 
D 
© Integrate 


Alerts, Autoscale 


Event Hubs, Log Apps, 
Ingestion & Export APIs 


MOREINFO AZURE MONITOR 


To learn more about the capabilities of Azure Monitor see https://docs.microsoft.com/azure/ 
monitoring-and-diagnostics/monitoring-overview-azure-monitor. 
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MOREINFO AZURE MONITOR FOR CONTAINERS 


Azure Monitor for Containers is an offering that provides new capabilities for monitoring your 
Managed Kubernetes clusters (AKS) and Azure Container Instances (ACI). You can learn more 
about the new capabilities at https://docs.microsoft.com/en-us/azure/azure-monitor/insights/ 


container-insights-overview. 


MOREINFO AZURE MONITOR FOR VMS 


Azure Monitor for a VMs is an offering that provides new capabilities for monitoring your 
virtual machines and virtual machine scale sets. You can learn more about the new capabilities 
at https://docs.microsoft.com/azure/azure-monitor/insights/vminsights-overview. 


Azure Monitor helps you track performance, maintain security, and identify trends by 
ingesting metrics and telemetry from multiple areas, including applications and the operating 
systems of virtual machines. It also allows you to query your Azure resources (which emit 
performance counters), your Azure subscriptions, Azure AD tenant, and event custom sources. 


The data from your Azure resources is ingested into either metrics stored within the Azure 
platform and accessible by the monitor service or as logs into Log Analytics. 


IMPORTANT LOG ANALYTICS 


Log Analytics must be enabled and configured before insights can be extracted or visualiza- 
tions can be created that are dependent on that data. 


Comparing metrics and logs surfaces some key differentiators: 


= Retention. Most of the metrics are retained for 93 days within the Azure service, while 
logs stored in Log Analytics can be retained for up to 2 years. There are opportunities to 
do long term retention of metrics by storing metrics in Log Analytics as well. 


= Properties. Metrics have a fixed set of properties (or attributes). These are time, type, 
resource, value, and dimensions (optional). Logs have different properties for each log 
type and even support rich data types, such as date and time. 

= Data availability. Metrics are gathered over time (like once a minute) and available 
for immediate query. Logs are often gathered after being triggered by an event (such 
as an event is written to an application log) and can take time to process before they are 
available for query. While both offer near real-time query capabilities, metrics will typi- 
cally be used for fast alerts, and logs are used for more complex analysis. 
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Once the data is collected, Azure Monitor provides a single pane of glass, or entry point, 
to interacting with your metrics and logs. Interactions can include querying and alerting, 
building visualizations and dashboards, or even automated responses based on telemetry 
for functionality, such as autoscaling in virtual machines. 


Data stored in Log Analytics can also be queried directly through a Log Analytics 
Workspace, where you will have access to the same query interfaces as you have through 
Azure Monitor, but you also can make customizations to the configuration of the workspace 
and access workspace-specific solutions, including visualizations and queries. 


All the data that you can access through Azure Monitor can be used to create alerts within 
Azure Monitor with alert rules. Alert Rules are built based on target resources or resource 
types, such as virtual machines, storage account, and even PaaS services and your custom 
conditions. Alerts allow you to be proactively notified of the health of the resources you deploy 
in Azure, and you are not limited to notifications because alert rules leverage actions groups 
that allow you to even implement automation based on an alert condition. 


This section covers how to: 

= Configure and interpret metrics 
= Configure Log Analytics 

m Query and analyze logs 

m Setup alerts and actions 


= Configure Application Insights 


Configure and interpret metrics 


Recall that metrics are the numerical values that are output by resources and services within 
Azure. Metrics are available for a number of Azure resources, but not all resources support 
metrics at this time. 


Metrics includes platform metrics, which are created by Azure resources and made available 
in Azure Monitor for querying and alerting. You can also query application metrics from 
Application Insights if the service is enabled and you have instrumented your applications— 
regardless of whether that application is hosted on a virtual machine or even in a PaaS service, 
such as Azure App Service. Virtual machines in Azure can also push custom metrics to the 
monitor service using the Windows Diagnostic extension on Windows servers and with the 
InfluxData Telegraf Agent on Linux VMs. There is also an opportunity to push custom metrics 
from other sources through a REST API. 


Figure 5-2 shows an example of a metrics chart displaying the percentage of CPU usage for 
a virtual machine. 
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IMPORTANT NUMERICAL VALUES IN AZURE 
In this case, we are only referring to the numerical values that the resources in Azure gener- 


ates, not the logs or text-based values, such as the value of an event log that can be stored ina 
storage account or in a Log Analytics Workspace. 
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FIGURE 5-2 Azure Metrics 


Azure metrics are collected at one-minute intervals (unless otherwise specified) and are 
identified by a metric name and a namespace (or category). Most of the Azure metrics are 


retained for 93 days within Azure Monitor, but there are notable exceptions listed below: 
Guest OS metrics 


m Classic guest OS metrics 


= Collected through diagnostic extensions and sent to an Azure storage account. 
= Retention period of 14 days. 


m Guest OS metrics sent to Azure Monitor metrics 


= Monitored by Windows diagnostic extensions or the InfluxData Telegraf agent and 
are routed to an Azure Monitor data sink. 


m Retention period of 93 days. 
m Guest OS metrics collected by Log Analytics agent 


= Collected by the Log Analytics agent and are sent to a Log Analytics workspace. 


m Retention period of 31 days. This retention period can be extended for up to two 
years. 


m Application insights log-based metrics 


m Log-based metrics those are translated into log queries. 
m Retention period of 90 days. 
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(>) exam Tip 
~ For longer-term retention, metrics can optionally be sent to Azure Storage for select 
resources and retained up to the configured retention policy or the storage limits of the 
account. They can also be sent to Log Analytics with a default retention period of 31 days. 


As metrics are collected, each metric has the following properties: 
m The time the value was collected 
m The type of measurement the value represents 
m The resource with which the value is associated 
m The value itself 


Metrics can be one dimensional or multidimensional with up to 10 dimensions. A 
nondimensional metric can be thought of as the metric name, and the value of the metric 
output is collected by the Monitor service over time. A multidimensional metric (both from an 
Azure resource or a custom metric) is the metric name and an additional name-value pair with 
additional data. For example, imagine a storage account with multiple Blob containers where 
you need to track the consumption of storage by container. A nondimensional metric would 
provide only the total consumed storage for the Blob service in the storage account where a 
multidimensional metric would provide the consumption by container as it has the additional 
data stored in the metric record. 


To interact with metrics, open the Metrics blade in Azure portal and open the Azure 
Monitor. You will be presented with a blank chart (see Figure 5-3). You can select the scope and 
required metrics to customize the metrics chart as needed. 
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FIGURE 5-3 Azure Metrics blank chart 
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Analyze metrics across subscriptions 


To begin populating the chart, you need to select a metric. To select a metric, you must select 
a Subscription and a Resource Group. Optionally, you can filter by Resource Type as well. 
Selecting a resource will then allow you to select a metric namespace (or category), a metric, 
and an aggregation if applicable. For example, to view the Ingress metric for a storage account, 
select the storage account from the Scope drop-down menu, choose Account from the 
Metric Namespace drop-down menu, choose Ingress from the Metric drop-down menu, 
and choose Sum from the Aggregation drop-down menu, as shown in Figure 5-4. 


Scope Metric Namespace Metric Aggregation 


= | examrefrgdiag690 Account Y ingress v | Sum v 


FIGURE 5-4 Azure Metrics selection 


You can add multiple metrics to the chart, and you can even mix Resources, Namespaces, 
Metrics, and Aggregations as required (see Figure 5-5). 


S&S examrefrgdiag690, Ingress, Sum @ ) | 3 examrefrgdiag690, Egress, Avg @ | | Z examrefrgdiag690, Transactions, Sum @ 


FIGURE 5-5 Azure Metrics selection for multiple resources 


The chart will be rendered as you complete each resource selection. The period for the 
query can be changed up to the retention limits of the metrics service, and the chart can be 
rendered as a Line Chart (default), Area Chart, Bar Chart, Scatter Chart, or Grid. An example 
of a Line Chart is shown in Figure 5-6. 
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FIGURE 5-6 Azure Metrics line chart 
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Note that you are not limited to charting resources from the same subscription. You can 
select metrics for resources of any available type across all the subscriptions to which you have 
access. 


From the Metrics blade, you can also create a new alert rule based on the metric query 
that is visualized. If you need to perform a deeper analysis, the raw metric data can also be 
exported to Excel. 


NOTE AZURE DASHBOARDS 


Each chart or visualization that you create in Azure Monitor can also be pinned to an Azure 
dashboard. You can have multiple dashboards in Azure, and you can even share a dashboard 
with others in your organization. 


You also are not limited to creating a single chart. Selecting the Add Chart button in the 
Metrics Explorer will allow you to stack multiple charts, so existing charts can be cloned and 
then customized. 


NOTE METRICS AND VISUAL RESPONSE TIMES 


If you are evaluating a web application, you might want to use multiple charts for visualization 
response times (in milliseconds) and response size (in kilobytes). This is especially useful when 
you are working with metrics that have different units of measure or when the scale of the 
metrics you are evaluating varies widely. 


Configure Azure Monitor logs 


Log Analytics helps you collect, correlate, search, and act on log and performance data gener- 
ated by operating systems, applications, and Azure services. It gives you operational insights 
using rich search and visualizations. Log Analytics provides a single pane of glass for interact- 
ing with the data from the entire platform and the workloads you host on it including both 
Linux and Windows servers. Also, Log Analytics can be used with other cloud providers. 

A Log Analytics Workspace is where logs are collected and aggregated. The logs can also 
be queried and visualized through Log Analytics or through Azure Monitor. A workspace is 
an Azure resource, meaning that RBAC can be applied for granular access to the service and 
the data stored within it. This also means that workspaces can be in regions that meet your 
organization's regulatory requirements, data isolation, and scope. You can create multiple 
workspaces in a single subscription. 


Implement Log Analytics Workspace 


A workspace can be created through the Azure portal, Azure PowerShell, the Azure CLI, and 
Resource Manager templates. To create a workspace through the Azure portal, browse to the 
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Home > New > Log Analytics Workspace > 


Create Log Analytics workspace 


Basics Pricing tier Tags Review + Create 


fi} A Log Analytics workspace is the basic management unit of Azure Monitor Logs. There are specific considerations you 
should take when creating a new Log Analytics workspace, Learn more 


With Azure Monitor Logs you can easily store, retain, and query data collected from your monitored resources in Azure 
and other environments for valuable insights. A Log Analytics workspace is the logical storage unit where your log data is 
collected and stored. 


Project details 


Select the subscription to manage deployed resources and costs, Use resource groups like folders to organize and 
manage all your resources. 


Subscription * © | Visual Studio Ultimate with MSDN v | 
Resource group * © ExamRef-RG Vv 
Create new 


Instance details 


Name* © ExamRef-LAWorkspace v 


Region * © [ Canada Central Vv ] 


Previous Next : Pricing tier > 


FIGURE 5-7 Log Analytics Workspace configuration 


Azure Marketplace and search for Log Analytics Workspace. Select Create to open the Log 
Analytics Workspace configuration blade. 


To configure a workspace, you will need to provide (see Figure 5-7): 
m A name for the workspace 
m The subscription the workspace will be associated with 


m A resource group 
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m Alocation 


= A selection for pricing tier (see Figure 5-8) 


NOTE LOG ANALYTICS PRICING 


Details on pricing for Log Analytics can be found at https://azure.microsoft.com/pricing/ 
details/monitor/ This page also includes the pricing details for other services related to Azure 
Monitor, such as Application Insights and Alert Rules. 


Home > New > Log Analytics Workspace 


Create Log Analytics workspace 


Basics Pricing tier Tags Review + Create 


The cost of your workspace depends on the pricing tier and what solutions you use. 
To learn more about Log Analytics pricing click here 


Pricing tier 
You can change to a Capacity Reservation tier after your workspace is created. Learn more 
To learn more about access to legacy pricing tiers click here 


Pricing tier * Pay-as-you-go (Per GB 2018) v 


FIGURE 5-8 Pricing tier for Log Analytics Workspace 


Note that Log Analytics is not available in all regions. To select an appropriate region, 
you can use the Azure Products by Region documentation at https://azure.microsoft.com/ 
global-infrastructure/services/. 


To select the appropriate pricing tier, review the pricing documentation at https://azure. 
microsoft.com/pricing/details/monitor/. A new workspace will default to the Free tier, which 
includes 5 GB of log storage per month (31 days) with per-GB pricing and per-GB charges for 
additional storage and retention. 

You can create a Log Analytics Workspace with Azure PowerShell or the Azure CLI, you can 
also use a Resource Manager template. 

After a workspace has been provisioned, you must enable data collection and configure 
both resource and tenant logs to store their logs within the service. 

To collect event and performance data from Windows and Linux machines, open the 
workspace and configure the Agent Management (see Figure 5-9). From this blade, you can 
obtain the Workspace ID, Primary Key, and Secondary Key for associating machines with 
the service through the monitoring agent. You can use this information when manually 
onboarding clients to the workspace. 
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Home 


® ExamRef-LAWorkspace | Agents management 


Log Analybcs workspace 


P Search (Ctrl+/) « W Windowsservers & Linux servers 


= Overview 


@ 0 Windows computers connected 
E Activity log Go to logs 

a Access control (IAM) 
Download agent 

@ Tags Download an agent for your operating system, then install and configure it using the keys for your workspace ID. 


You'll need the Workspace ID and Key to install the agent. 
@ Diagnose and solve problems 


Download Windows Agent (64 bit) 


Settings Download Windows Agent (32 bit) 

B Locks 

EB Export template Workspace ID | 3de7a7fe-5453-43e0-2230-247231b45599 o] 

cl iiin a Primary key | TianMrijncMSer A6S9ovJsFNkdosSemfuX +IAA03puLXMaNhjFOM... || Regenerate | 

Advanced settings r : 3 
Secondary key | B¥zg29NHPpIAPTWEZGL/VYrGtddCzyjNOecyVBGCKGRAcudDAzpWs.. || Regenerate | 

General 

@ Quick Start Log Analytics Gateway 


If you have machines with no intemet connectivity to Log Analytics workspace, download the Log Analytics Gateway to act as a proxy 
== Workspace summary 


Learn more about Log Analytics Gateway 


BS View Designer 


Download Log Analytics Gateway 


FIGURE 5-9 Log Analytics Workspace Agent Management 


By choosing Advanced Settings -> Data Settings, you can configure the Windows Event 
Logs, Windows Performance Counters, Linux Performance Counters, Syslog, IIS Logs, and 
Custom Fields and Custom Logs (see Figure 5-10). 
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FIGURE 5-10 Log Analytics Workspace advanced settings for data 


After the workspace has been configured, you can begin to onboard machines. For 
machines to report telemetry to Log Analytics, they must be running the Azure Log Analytics 
(OMS) agent. This agent was previously referred to as the Microsoft Monitoring Agent (MMA) 
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or the OMS Linux agent. The agent binds to a workspace to collect the data defined in the 


workspace settings or in installed solutions. 


The method for installing the agent varies based on the machine operating system, where it 
is hosted, and how it is managed. 


m Azure Virtual Machines can be onboarded manually through the Azure portal; auto- 
matically through a Log Analytics Workspace associated with Azure Security Center; 
programmatically through the Log Analytics VM extension for Windows or using Azure 
PowerShell; the Azure CLI; or a Resource Manager template for Linux. 


= Hybrid Windows computers (server or client) can be onboarded manually by download- 
ing the agent and installing it locally or through Azure Automation DSC when using 


hybrid workers. 


= Hybrid Linux computers (server only) can be onboarded manually by downloading the 
agent and installing it locally. 


m Machines managed with System Center Operations Manager (SCOM) can be integrated 
directly with Log Analytics by configuring SCOM to forward logs to the service. 


NOTE AGENT DEPLOYMENT AND INSTALLATION 


For specific guidance on how you should deploy and install the agent based on your scenario, 


refer to the documentation at https://docs.microsoft.com/azure/azure-monitor/platform/ 


log-analytics-agent#install-and-configure-agent. 


For the agent to send telemetry, you must also ensure that the required ports are available, 
and the required URIs are added to the approved-list. The agent utilizes port 443 for all 


outbound communication. The required URIs are shown in Table 5-1. 


TABLE 5-1 Log Analytics Agent ports and protocols 


Agent Resource 


*ods.opinsights.azure.com 
- Wr 

.oms.opinsights.azure.com 
* Blob.core.windows.net 


* azure-automation.net 


Configure diagnostic settings 


Ports 


Port 443 


Port 443 


Port 443 


Port 443 


Direction 


Outbound 


Outbound 


Outbound 


Outbound 


Bypass HTTPS inspection 


Yes 
Yes 
Yes 


Yes 


While the resources you deploy in Azure create metrics automatically, many of them also offer 
richer diagnostics logs, which can be configured to send their log data to another location, 
such as a storage account or a Log Analytics Workspace. In addition to resource logs, there are 
also tenant-level services, such as Azure Active Directory, which exist outside a subscription 
from which you might need to collect log data. 
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Diagnostics logs are one type of log data. There is also log data within the Azure Activity 
Log, and there is log data that can be obtained from virtual machines with the use of 
diagnostics agents that is separate from diagnostic logs associated with a tenant-level service 
or an Azure resource. It is important to understand the differences between the types of log 
data that are available and where that log data can be stored. 


IMPORTANT RESOURCE AND TENANT LOGS ARE DIAGNOSTIC LOGS 


Both resource logs and tenant logs are considered diagnostics logs. Diagnostics logs that 
you configure for a tenant service or a resource are separate from the Azure Activity Log and 
guest telemetry obtained with diagnostics agents. 


The Azure Activity Log surfaces data at the subscription level and can be useful for 
understanding actions that occur within your environment against the Resource Manager 
APIs. For example, when a new deployment is submitted, the events associated with that 
deployment such as the time it was submitted, the resources that were created, and the user 
that submitted the request are all tracked within the Activity Log. However, at the subscription 
level, you are missing any resource-level logs. For example, the Activity Log can show when 
a Network Security Group (or NSG) was created, but it cannot show when an NSG rule was 
applied to traffic that was subject to the NSG, such as when a port or protocol is blocked. 
Diagnostic logs provide this functionality. 


NOTE RETAINED FOR 90 DAYS 


Events in the Activity Log are retained for 90 days. You can retain the data for a longer period 
by sending the logs to Azure Storage and/or a Log Analytics Workspace. 


Diagnostic logs will need to be enabled for each resource from which you want to collect 
additional telemetry. Note that metrics are resource-specific and captured automatically, so 
you only need to enable diagnostic logs to capture log data or to send metrics to another 


service. 


IMPORTANT SUPPORT FOR DIAGNOSTIC LOGS 


Not all Azure resource types support diagnostic logs. A full list of services that support logs 
and their service-specific log schemas can be found at https://docs.microsoft.com/azure/ 


monitoring-and-diagnostics/monitoring-diagnostic-logs-schema. 


To enable diagnostic logs through the Azure portal, you can browse to the resource itself 
to create the settings. The alternative and recommended method is to browse to the Azure 
Monitor and Diagnostic Settings blade. From this blade, you can view all the resource types 
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eligible for diagnostic logs and view the status (Enabled or Disabled) for log collection on 
each resource. Also, you can filter by Subscription, Resource Group, Resource Type, and 
Resource. An example is shown in Figure 5-11. 
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FIGURE 5-11 Azure Monitor Diagnostic settings 


To enable diagnostic settings, click a resource with a status of Disabled. In the Diagnostic 
Settings blade, you will see a + Add Diagnostic Setting link. Specify the Diagnostic Setting 
Name and select the required logs, as shown in Figure 5-12. 


Home > Monitor | Diagnostics settings 


Diagnostics setting 


E Save X Discard © Provide feedback 


A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from a resource and one or more 
destinations that you would stream them to. Normal usage charges for the destination will occur. Learn more about the different log 


categories and contents of those logs 
Diagnostic setting name * NSG-DiagSetting v 
Category details Destination details 
log E Send to Log Analytics 
E NetworkSecurityGraupEvent Subscription 
| Visual Studio Ultimate with MSDN v| 
E NetworksecurityGroupRuleCounter 
Log Analytics workspace 
ExamRef-LAWorkspace { canadacentral ) x | 


[C Archive to a storage account 


[O] Stream to an event hub 


FIGURE 5-12 Azure Monitor Diagnostic settings for a resource 
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NOTE DIAGNOSTIC LOGS 


Each resource or tenant service on which you enable diagnostic logs will have varying controls 
(or settings). For example, not all resources support a retention policy in the diagnostic set- 
tings, and not all resources support sending metric data to another location. 


When configuring diagnostics settings, you will select where the logs (and optionally 
metrics) are sent. Valid locations to send data will be to Archive To A Storage Account, 
Stream To An Event Hub, or Send To Log Analytics (see Figure 5-14). As you select each 
location, additional configuration will be required. For example, to archive to a storage 
account, you will need to select an existing storage account or create a new storage account. 


For diagnostics logs that support retention with storage, you can select a retention period 
in days. A retention period of zero days means the logs will be retained forever. Valid numeric 
values for the number of days is any number between 1 and 365. If you set the retention period 
and have only selected an Event Hub or a Log Analytics Workspace( but have not selected a 
storage account), the retention settings will be ignored. 


As you configure each resource or service, you can send the data from multiple log sources 
to the same destination. For example, you can send the diagnostic logs from a tenant service 
like Azure Active Directory to a Log Analytics Workspace, and you can send the diagnostics 
logs from a resource like a Network Security Group to the same Log Analytics Workspace. 


It can take several moments for the setting to appear in the list of settings for the resource. 
Note that even though the setting has been configured, diagnostic data will not be collected 
until a new event is generated. 


All these settings can be configured through the Azure portal, Azure PowerShell, the Azure 
CLI, or through the Azure Monitor REST API. 


EXAM TIP 


The Azure Diagnostics agent can also be configured through resource manager templates 
and the command line tools by specifying a configuration file. For the exam you should be 
aware of the schema of this configuration and how to apply it using automated tools. You 

can learn more about the Azure Diagnostics schema at: https://docs.microsoft.com/azure/ 
monitoring-and-diagnostics/azure-diagnostics-schema. 


Query and analyze logs 


As mentioned earlier, Azure Monitor stores and surfaces two types of data: metrics and logs. 
Metrics are numerical values such as performance counters, while logs can be either numerical 
data or text. For instance, the full text of an exception that is raised in an application or even 
the text of an application log from a Windows or Linux server is one example. 
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Create a query 


After the workspace has been configured, tenant logs, resource logs, and machines have been 
onboarded, you can begin to analyze and visualize data. To interact with the data in Log Ana- 
lytics, you use log queries, which are used to: 


m Perform interactive analysis of log data through the Azure portal in Azure Monitor and 
a Log Analytics Workspace. 


m Build custom alert rules based on the logs in a workspace. 
m= Generate visualizations to can be shared through Azure Dashboards. 
m Export custom data sets to Excel or Power BI. 


m Perform automation based on log data with PowerShell or the Azure CLI. 


NOTE LOG QUERY USAGE 


To learn more about all the ways that log queries can be used, refer to the docu- 
mentation at: https://docs.microsoft.com/ azure/azure-monitor/log-query/ 
log-query-overview#where-log-queries-are-used. 


The query language used by Log Analytics is called Kusto. Kusto queries are used to 
generate read-only requests to process data and return results. This means that the logs 
stored in Log Analytics are immutable and are only removed from a workspace based on 
the retention configuration. Queries are authored in plain-text, and the schema used by Log 
Analytics is like SQL's with databases and tables composed of columns and rows. In each table, 
data is organized in columns with different data types as indicated by icons next to the column 
name. Column data types include text, numbers, and datetime. 


Authored queries in Log Analytics can take many forms, from basic queries to very 
advanced queries with multiple aggregates and summarizations. Queries can be used to search 
terms, identify trends, analyze patterns, and provide many other insights. Queries search tables 
and can start with either a table name or a search command that defines scope. The pipe (|) 
character separates commands, and you can add as many commands as required. 


In the following example, the Heartbeat table is queried to summarize the count of 
computers (by IP) and by a time value (TimeGenerated) to render a chart that tracks the number 
of computers reporting a workspace each hour. 

// Chart the number of reporting computers each hour 
Heartbeat 


| summarize dcount(ComputerIP) by bin(TimeGenerated, 1h) 
| render timechart 


To run this query, browse to Azure Monitor and select Logs to open the query interface. This 
query will not return data if you do not have any virtual machines deployed and running. Those 
machines must also be associated with the Log Analytics Workspace you are querying. 
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The query shown above is a table-based query. Queries always begin with a scope-—either a 
table or search-based query. Kusto queries are case-sensitive. Typically, language keywords are 
written in lowercase. When using the names of tables and columns in queries, you must ensure 
you are using the correct case. Table-based queries target a single table in a Log Analytics 
Workspace (or database), while search-based queries target all tables by default. 


Table-based queries start by scoping the query, and therefore tend to be very efficient and 
generally faster than search queries. Search queries are less structured by nature, which makes 
them the better choice when searching for a specific value across columns or tables. In other 
words, a search can scan all columns in a given table or in all tables across an entire workspace 
for the defined value. 


The amount of data being processed by a query could be enormous, which is why these 
queries can take longer to complete and might return large result sets which are limited by the 
Log Analytics service to 10,000 results. 


To author queries in the Azure portal, browse to Azure Monitor and select the Logs blade. 
From this blade, you can access all the subscriptions and workspaces you have rights to read 
from. Azure Monitor offers many sample queries for heartbeats, performance, and usage 
across your machines and services tracked in Log Analytics (see Figure 5-13). 
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FIGURE 5-13 Azure Monitor logs 


IMPORTANT AZURE MONITOR LOGS 


The settings shown in Figure 5-28 apply to the entire workspace and cannot be configured per 
computer group. 
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Selecting a query and clicking Load To Editor will open an editor with query preview, as 
shown in Figure 5-14. 


P New Query 1* + EF Example queries C3 Query explorer eg 


ExamRef-LAWorkspace Select scope [>en | Time range: Last24hours ) E Save Y @ Copylink v -+ Newalertrule 1 bport x? Pin to dashboard 


t Fè 24 Chart CPU usage trends 

fem me “ 2 Ff Calculate CPU usage patterns over the last day, chart by percentiles. 
p r where Couptersiane == "E Processor Tine” 

| where Qhjesthape == “Processor” 

| summarize ave(CountecValue) by bin(JànsGensrassd, 1Smin) // bin is used to set the time grain to 15 minutes 
| render timechart 

// Pert table stores performance counters for Windows and Linux computers 

/ Counters are specified using ObjectNane (performance object), InstanceNaee and Countertiane 

// % Processor Time captures CPU activity, ObjectNames can be Processor, Process and Process Inforwation 


Group by: Resource Type Filters: mot selected 


Favorites 


Soovavew 


You can add favontes by cficking on 
the ® con 


FIGURE 5-14 Query editor with sample query 


Save a query to the dashboard 


In addition to sample queries, you can browse the schema for the currently selected work- 
space. This is useful for determining the proper case for table and column names as Kusto is 
a case-sensitive query language. Authored queries can be saved for later and/or marked as 
favorites so they can be retrieved later using the Query explorer (see Figure 5-15). 


Save x 


Name” 
Custom PUUrageChart 
Save as 
Query ~X 
Catagory * 


Mrt marhnes Curtore 


FIGURE 5-15 Save or mark as favorite query 


Interpret graphs 


In Query Explorer, you also get an option to generate charts/graphs based on the log queries. 
In the output pane, you can select Chart to see the graphical representation of query results. 
You can choose the display option from various categories (from column, bar chart, line, pie, or 
area). For one of the sample queries, the stacked bar chart is shown in Figure 5-16. 
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FIGURE 5-16 Stacked bar chart 


Similarly, for the same query, the doughnut pie chart is shown in Figure 5-17. 


> Export Y s? Pinto dashboard 


(Time range : Setin query ) | E| Save © = & Copylink Y -+ New alert rule 
1 
2 where > ago(ih) 
3 | summarize gount by Qslyre 
R 
Results Chart Doughnut Y OSType Y count Computer Y Splitby Y Maximum V | (© Display time (UTC+00;00) ~ 
Completed © 00:00:00,426 F] 2records ¥ 


Windows (13.04%) 


@ linux @ Windows 


FIGURE 5-17 Doughnut pie chart 
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You can hover on graph to interpret the results directly from the graph. The highlighted 
sector will be displayed with its query result, as shown in Figure 5-18. 


Results Chart Doughnut Y OSType w count Computer v ‘Splitby w Maximum v © Display time (UTC+00-00) 


Completed © 00:00:00.426 | 2records wv 


OSType: Linux 
count Computer:20 (86.96%) 


i Linux (86.96%) 


@ Linux © Windows 


FIGURE 5-18 Save or mark as favorite query 


Set up alerts and actions 


Alerts proactively notify you when important conditions are found in your monitoring data. 
They allow you to identify and address issues before the users of your system notice them. 


Azure Monitor brings a unified alerting experience to Azure, with a single pane of glass 
for interacting with metrics, the Activity Log, Log Analytics, service and resource health, and 
service-specific insights that provide out-of-the-box dashboards with visualizations and 
queries for: 


m= Custom applications with Application Insights 
m Virtual Machines 

m Storage accounts 

= Containers 

m= Networks 

m Key vaults (preview) 

Alerts have multiple notification options, including: 
m Email 

m SMS 

= Push notifications to the Azure mobile app 

m Voice 


m Integration with automation services. 
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Alerts that are generated within Azure Monitor can invoke Azure Automation runbooks, 
Logic Apps, Azure Functions, and even generate incidents in third-party IT Service 
Management tools, such as ServiceNow. 


Create and test alerts 


To create an alert rule, click Alerts from within the Azure resource configuration blade or 
browse to Azure Monitor in the Azure portal, select the Alerts blade, and select +New Alert 
Rule, as shown in Figure 5-19. 


Monitor | Alerts = 


Resource group © Resource Tire ronge 


Pay attention to what matters. 


You have not configured any alert rules, 


Configure alert rules and attend to fired al 
Azure resources. Learn more 


ts to efficiently monitor your 


The classic alerts can be accessed trom here 


FIGURE 5-19 The alerts blade from within Azure Monitor 


Alerts in Azure Monitor are centered on alert rules. Alert Rules contain the following 
components: 


m A target resource (or resource type) 


= Conditional logic for the alert with criteria based on the available signals for the target 
resource 


m An Action Group, or what should happen when the alert rule condition is met 


= Aname and description for the alert rule 


NOTE AZURE MONITOR ALERT RULES 


Alert Rules in Azure Monitor are not the same as alerts. They are the criteria used to evalu- 
ate when an alert should be generated. An alert is generated based on the rule, and then the 
alerts themselves are acted upon separately, even maintaining their own state (such as New 
or Closed). 
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Pick the target for the alert, which determines the available signals by clicking the Select 
Resource button, as shown in Figure 5-20. 


Scope 


Select the target resource you wish to monitor. 
Resource Hierarchy 
No resource selected yet 


Select resource 


FIGURE 5-20 Azure Monitor Create alert rule 


The target resource defines the scope and signals available for the alert. A target resource is 
an Azure resource that generates signals (such as metrics or the Activity Log) such as a virtual 
machine or storage account. The signal types that are available for monitoring vary based on 
the selected target (or targets as you can select more than one target) and the available signal 
types are as follows: 


m Metrics 

m Log search queries 

= Activity Logs 

For instance, selecting Subscription will allow you to select Activity Log signals. Selecting 


a single resource like a virtual machine will allow you to select signals that include both the 
Activity Log and metrics, as shown in Figure 5-21. 


Select a resource x 


Select the resource(s) you want to monitor. Available signal types for your selection will show up on the bottom right 
Filter by subscription * © Filter by resource type © Filter by location © 


Visual Studio Ultimate with MSDN v | | Virtual machines 7v | | All v 


P Search to filter items 


Resource Resource type Location 
@ v ? Visual Studio Ultimate with MSDN Subscription Canada Central 
BW vie) examret-rg Resource group Canada Central 
@ E examRef-VM Virtual machine Canada Central 
@ E examRef-VMs Virtual machine Canada Central 


FIGURE 5-21 Azure Monitor alert target 


The next step is to configure the alert criteria by clicking the Select Condition button, as 
shown in Figure 5-22. 
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Condition 


Configure when the alert rule should trigger by selecting a signal and defining its logic. 
Condition name 


No condition selected yet 


FIGURE 5-22 Azure Monitor Add condition 


The condition will allow you to select the signal from the available signals for the target 
and define the logic test that will be applied to the data from the signal. For example, fora 
virtual machine you can use the Percentage CPU metric to generate an alert based on a custom 
threshold for CPU usage, as shown in Figure 5-23. The alert logic conditions are different for 
Activity Log signals or metric signals. 


Configure signal logic x 


Select time series © Chart period © 


Prev Next> 
| ExamRef-VM; Aggregate Vv = Over the last 6 hours Ms 


BPM 3PM 10 PM 11 PM 1AM UTC-0400 
Percentage CPU (Avg) 
examrefm 
1.38% 

Alert logic 

Threshold © 

(static __ EE 

Operator © Aggregation type * © Threshold value * © 

Less than or equal to v | Average v 10 v 
% 


Condition preview 
Whenever the average percentage cpu is less than or equal to 10 % 
Evaluated based on 


Aggregation granularity (Period) * © Frequency of evaluation © 


| 5 minutes v Every 5 Minutes v 


FIGURE 5-23 Azure Monitor alert condition 


Skill 5.1: Monitor resources by using Azure Monitor CHAPTER 5 


Humble Bundle MS Exam Ref Pearson Mega Bundle — © Pearson. Do Not Distribute. 


355 


Configure one or more conditions for the alert rule. After the conditions are defined, 
proceed to Action Groups by clicking the Select Action Group button, as shown in 
Figure 5-24. An Action Group is a collection of actions that should occur in response to 
an alert being triggered. 


Action group 
Send notifications or invoke actions when the alert rule triggers, by selecting or creating a new action group. Learn more 
Action group name Contains actions 


No action group selected yet 


Select action group 


FIGURE 5-24 Azure Monitor Action Groups 


Select the existing Action Group if you already have otherwise click Create Action Group 
button to create a new Action Group, as shown in Figure 5-25. 


Select an action group to attach to this alert rule x 


The action group selected will attach to this alert rule 


+ Create action group 


Subscription © 


Visual Studio Ultimate with MSDN v 


P Search to filter items 
Action group name T4 Contain actions 


No results 


FIGURE 5-25 Create Action Group 


NOTE ACTION GROUPS 


Action groups are separate resources and are independent of the alert rule. This means that 
the same Action Group can be used across multiple alert rules. 


When creating a new Action Group, define the Action Group Name, Display Name, 
Subscription, and Resource Group in which the Action Group will be created (see 
Figure 5-26). 

On the next screen, you can configure notifications. Select Email Azure Resource 
Manager Role from the Notification Type drop-down menu and select the respective roles 
from the drop-down menu that appears below the Notification Type, as shown in Figure 5-27. 
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Home > Monitor | Alerts > Create alert rule > 


Create action group 


Notifications Actions Tags Review + create 


An action group invokes a defined set of notifications and actions when an alert is triggered. Learn more 


Project details 


Select a subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage 
all your resources, 


Subscription * © | Visual Studio Ultimate with MSDN v ] 
Resource group * © [ ExamRef-RG o v | 
Create new 
Instance details 
Action group name * © 
Display name * © 


This display name is limited to 12 characters 


FIGURE 5-26 Basics blade - Create Action Group 
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FIGURE 5-27 Notifications blade - Create Action Group 


Alternatively, you can configure other notifications by selecting Email/SMS Message/ 
Push/Voice as Notification type and select respective options from the pop-up screen, as 


shown in Figure 5-28. You may have up to 1,000 email actions and 10 SMS/Voice actions in an 
Action Group. 
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| Create action group è s 
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| Notifications 


| EE Chen sorsan 


FIGURE 5-28 Notifications blade - Create Action Group 


In addition to sending email notifications, you can execute the following actions: 


= Runbook. A set of PowerShell code that runs in the Azure Auto- 
mation Service. See the following to learn more about using Run- 
books to remediate alerts at: https://azure.microsoft.com/blog/ 
automatically-remediate-azure-vm-alerts-with-qutomation-runbooks/ 


= Function Apps. A Function App is a set of code that runs “serverless” that can 
respond to alerts. This functionality requires Version 2 of Function Apps, and the value 
of the AzureWebJobsSecretStorageType app setting must be set to files. 


m ITSM. You may have up to 10 IT Service Manager (ITSM) actions with an ITSM connec- 
tion. The following ITSM providers are currently supported: ServiceNow, System Center 
Service Manager, Provance, and Cherwell. You can learn more about ITSM connections 
here: https://docs.microsoft.com/azure/azure-monitor/platform/itsmc- overview. 


m Logic Apps. A Logic App provides a visual designer to model and automate your 
process as a series of steps known as a workflow. There are many connectors across the 
cloud and on-premises to quickly integrate across services and protocols. When an alert 
is triggered the Logic App can take the notification data and use it with any of the con- 
nectors to remediate the alert or start other services. To learn more about Azure Logic 
Apps visit: https://docs.microsoft.com/azure/logic-apps/logic-apps-what-are-logic-apps. 

= Webhook. A webhook allows you to route an Azure alert notification to other 
systems for post-processing or custom actions. For example, you can use a webhook 
on an alert to route it to services that send text messages, log bugs, notify a team 
via chat/messaging services, or do any number of other actions. You can learn more 
about sending alert information to webhooks at: https://docs.microsoft.com/azure/ 
monitoring-and-diagnostics/insights- webhooks-alerts. 


You can configure above actions for the Action Group on the next blade. Select from the 
options available in the Action Type drop-down menu, as shown in Figure 5-29. 
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Home > Monitor | Alerts > Create alert rule 


Create action group 


Basics Notifications Actions Tags Review + create 


Actions 


Configure the method in which actions are performed when the action group triggers. Select action types, fill out 
associated details, and add a unique description, This step is optional. 


Action type © Name © Selected © 
| 

Automation Runbook 

Azure Function 

ITSM 

Logic App 

Secure Webhook 


Webhook 


FIGURE 5-29 Actions blade - Create Action Group 


Once Action group is created, specify remaining alert rule details such as Alert rule name, 
description, resource group to save the alert, severity and enable alert upon creation option 
(see Figure 5-30). 


Alert rule details 


Provide details on your alert rule so that you can identify and manage it later. 


Alert rule name * © [ ExamRefAlertRule z] 


Description Whenever the average percentage cpu is less than or equal to 10 % then 
Shutdown the VM 


Save alert rule to resource group * © ExamRef-RG v | 
Severity * © Sev 3 v | 
Enable alert rule upon creation @ 


Create alert rule 


FIGURE 5-30 Action GroupAlert rule details 


View alerts in Azure Monitor 


After an alert rule has been created, the alert rule and Action Group can be managed through 
Azure Monitor from the Alerts blade by selecting Manage Alert Rules. Alerts can be man- 
aged across multiple subscriptions and can be filtered by Resource Group, Resource Type, 
Signal Type, and Status (see Figure 5-31). 
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FIGURE 5-31 Azure Monitor new action alert rule details 


Alert Rules do not generate alerts immediately, and metric alerts can take up to 10 minutes. 
When alerts are generated, they will be distributed based on the actions defined in the Action 
Group. For example, when an email is sent, the defined users will receive a message with the 
alert details and a link to view the alert in the Azure portal, as shown in Figure 5-32. 


BE Microsoft Azure 


A Your Azure Monitor alert was triggered 


Azure monitor alert rule ExamRefAlertRule was triggered for ExamRef-VM at August 
17, 2020 6:53 UTC. 


Alert rule description Whenever the average percentage cpu is less than or 
equal to 10 % then Shutdown the VM. 


Rule ID 


View Rule > 


Resource ID 


View Resource > 


Alert Activated Because: 


Metric name Percentage CPU 
Metric namespace virtualMachines/ExamRef-VM 
Dimensions 


microsoft.resourceType = Microsoft.Compute/virtualMa 
chines 


Time Aggregation Average 


FIGURE 5-32 Azure Monitor alert notification email 
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NOTE ALERT RULES 


You can enable and disable alert rules as needed to meet your requirements. 


When an alert is resolved by the state of the monitor condition and changed to Resolved, 
notifications are sent as well. 


Analyze alerts across subscriptions 


When an alert rule is created, the alert rule targets resources in a single subscription, and the 
alerts that are generated based on the alert rules are associated with the subscription from 
which they are generated. Azure operators are not limited to viewing alerts from only a single 
subscription through Azure Monitor, which again, provides a single pane of glass for not only 
managing alert rules across multiple subscriptions, but also for managing the generated alerts. 


Recall that alert rules and Action Groups are separate entities. The alerts that are generated 
based on the conditional logic of an alert rule are separate entities as well. This means that they 
are managed independently of alert rules and maintain their own state. 

Alerts can have one of three states: 


m New. Thealert is new and has not been reviewed 


= Acknowledged. The issue that generated the alert is being actioned by an 
administrator 


m Closed. The issue that generated the alert has been resolved, and the alert has been 
marked as closed 


The state of an alert is updated by the user who is interacting with the alert and is not 
updated automatically by the Azure platform. 


NOTE ALERT STATE 


Alert state is not the same as the monitor condition of an alert. When the Azure platform 
generates an alert based on an alert rule, the alert’s monitor condition is set to fired and when 
the underlying condition clears, the monitor condition is set to resolved. 


As alerts are generated, they will appear on the Alerts blade in Azure Monitor. From the 
Alerts blade, can you view alerts for all subscriptions, and drill into one or more specific 
Subscriptions, Resource Groups, and Resources. Also, you can filter by Time Range by 
choosing Past Hour, Past 24 Hours, Past 7 Days, or Past 30 Days from the drop-down menu 
(see Figure 5-33). 
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FIGURE 5-33 Azure Monitor Alerts dashboard 


Selecting one of the links on the dashboard (such as Total Alerts) will open the All Alerts 
blade, as shown in Figure 5-34. 


All Alerts 
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FIGURE 5-34 Azure Monitor All alerts blade 


The view on this page can be filtered through the drop-down menus on the page and you 
can also filter, sort, and edit the columns that are displayed with the following limitations: 


= When you filter by subscription, you are limited to selecting a maximum of five 
subscriptions. 


m When filtering by resource group, you can only select one resource group at a time. 


m The Resource Type filter is dynamic and is based on the selection of the resource 
group. You will not be able to select resource types that are not deployed to the 
selected resource group you are filtering with. 


m The Time Range filter shows only alerts fired within the selected time window and sup- 
ported values are the past hour, the past 24 hours, the past 7 days, and the past 30 days. 


Selecting an alert will open the alert details (see Figure 5-35). From this blade, you can view 
Alert History, including any changes to monitor condition state. This is also where you can alter 
the alert state to New, Acknowledged, or Closed. If the state of an alert is changed, that change 
is included in the alert history for audit purposes. 
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Alert Name 


Summary History Diagnostics 


Affected re 


Sev3 8/17/2020, 2:53:46 AM KA examref-vm Visual Studio U.. > [@) examref-rg 


State Aonitor conditior 
Change alert state 


Criterion 
Metric name tric namespace 
Percentage CPU Microsoft.Compute/virtualMachines 
Time aggregatior Operato 
Average LessThanOr€qual 
hreshold 
10% 13 
Dimension Name Dimension Value 


microsoft.resourceld 


microsoft.resourceType Microsoft.Compute/virtual Machines 


Whenever the average percentage cpu is less than or equal to 10 % microsoft.compute/virtualmachines 
then Shutdown the VM. 


Monitor service 


Metric 


Platform 
Alert id 


b09010a4-0292-4017-86e0-c4aSaf6 lacec 


FIGURE 5-35 Azure Monitor alert details 


Configure Application Insights 


Application Insights is used for development and as a production monitoring solution. It works 
by installing a package into your app, which can provide a more internal view of what's going 
on with your code. Its data includes response times of dependencies, exception traces, debug- 
ging snapshots, and execution profiles. It provides powerful smart tools for analyzing all this 
telemetry both to help you debug an app, and to help you understand what users are doing 
with it. You can tell whether a spike in response times is caused by something in an app or an 
external resourcing issue. Application Insights provides significantly more value when your 
application is instrumented to emit custom events and exception information. 


To create application insight resource, open Azure Monitor and under Insights, select 
Applications from the left-side navigation pane and choose the Create Application Insight 
Apps button, as shown in Figure 5-36. 
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FIGURE 5-36 Create Application Insights apps 


On the Basics blade, select the Subscription, Resource Group, Region, Resource Mode, 
and Log Analytics Workspace and specify the Name (see Figure 5-37). 


Home > Application Insights > 


Application Insights 


Monitor web app performance and usage 


Basics Tags Review + create 


Create an Application Insights resource to monitor your live web application, With Application Insights, you have full 
observability into your application across all components and dependencies of your complex distributed architecture. It 
includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your app. It's 
designed to help you continuously improve performance and usability. It works for apps on a wide variety of platforms 
including .NET, Node.js and Java EE, hosted on-premises, hybrid, or any public cloud. Learn More 


PROJECT DETAILS 


Select a subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all 
your resources. 


Subscription * © | Visual Studio Ultimate with MSDN v | 
Resource Group * © ExamRef-RG v 
Create new 
INSTANCE DETAILS 
Name* © ExamREf-Appinsights ¥ 


Region* © (US) East US v 
Resource Mode * © EE Workspace-based (preview) ] 


WORKSPACE DETAILS 


Subscription* © | Visual Studio Ultimate with MSDN v | 


~~ Log Analytics Workspace * © ExamRef-LAWorkspace [canadacentral] Vv 


« Previous Next : Tags > 


FIGURE 5-37 Basics blade — Application Insights 
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Application Insights has an extensive dashboard depicting all the aspects of your 
application workload, as shown in Figure 5-38. The dashboard displays application 
performance, usage, diagnostic, and other app data. The dashboard can be customized 
based on your preferences. 
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FIGURE 5-38 Application Insights Dashboard 


You can learn more about Application Insights including samples for emitting custom 
telemetry at: https://docs.microsoft.com/azure/azure-monitor/app/app-insights-overview/. 


Skill 5.2: Implement backup and recovery 


Azure Backup is a service that allows you to backup on-premises servers, cloud-based virtual 
machines, and virtualized workloads such as SQL Server and SharePoint to Microsoft Azure. It 


also supports backup of Azure Storage file shares. 


This section covers how to: 
m Create a Recovery Services vault 
m Create and configure backup policy 
m Perform backup and restore operations by using Azure Backup 
m Perform site-to-site recovery by using Azure Site Recovery 


= Configure and review backup reports 
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Create a Recovery Services Vault 


Within Azure, a single resource is provisioned for either Azure Backup or Azure Site Recovery. 
This resource is called a Recovery Services Vault. It is also the resource that is used for configu- 
ration and management of both Backup and Site Recovery. 


Create a Recovery Services Vault (Azure portal) 
To create a Recovery Services Vault from the Azure portal, follow these steps: 


1. Click Create A Resource, and in the marketplace search dialog box, type Backup and 
Site Recovery and click the Backup And Site Recovery option. 


2. On the marketplace page for Backup And Site Recovery, click Create. 


3. Enter the name of the vault and choose the resource group where it resides or create a 
new resource group. 


4. Then choose the region where you want to create the resource, as shown in 
Figure 5-39. 


Home > New > Backup and Site Recovery 


Create Recovery Services vault 


Preview 


“Basics Tags Review + create 


Project Details 


Select the subscription and the resource group in which you want to create the vault, 


Subscription * © | Visual Studio Ultimate with MSDN Vv | 
Resource group * © ExamRef-RG v 
Create new 


Instance Details 


Vault name * © ExamRef-RSVault wif 


Region* © | Canada Central v | 


FIGURE 5-39 Completing the creation of the vault 


Use Soft Delete to recover Azure VMs 

The default behavior of deleting a backup is that the backup is deleted and lost forever. Soft 
Delete is a feature that allows you to save and recover your data when backup data are deleted 
even in the event of an overwrite. This feature must be enabled in Recovery Services Vault 

by choosing Properties -> Security Settings(see Figure 5-40). When you use Soft Delete, 
backup data is retained for 14 days after deletion. 
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MOREINFO SOFT DELETE FOR AZURE VM BACKUP 


You can learn more about using Soft Delete with Azure VM Backupat https://docs.microsoft. 
com/azure/backup/backup-azure-security-feature-cloud#soft-delete. 
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FIGURE 5-40 Enabling Soft Delete on Recovery Services Vault 


If the Soft Delete option is enabled, you can delete the backup data by clicking the Stop 
Backup button and then selecting Delete Backup Data with appropriate reason. Once 
deleted, your soft-deleted backup item will appear, as shown in Figure 5-41. 
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FIGURE 5-41 Soft Delete—enabled backup item after deletion 


You can select Undelete anytime within 14 days of the retention period (see Figure 5-42). 
Once the data is restored, you can Resume backup again. 
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Undelete ExamRef-VMs x 


All restore points for this backup item will be undeleted and the item will come to ‘Stop 
protection with retain data’ state. You can ‘Resume backup’ to continue the scheduled backup 
operations as per the selected policy. 


Note: Garbage Collection will start with resume backup operation and all the expired restore 
points will be cleaned. 


Backup item 
ExamRef-VMs 


Deletion time 
8/17/2020, 10:59:39 AM (21 second(s) ago) 


Day(s) left until permanent deletion 
13 


FIGURE 5-42 Soft Delete Undelete option for ExamRef-VMs 


Create and configure Backup Policy 


You can edit a policy, associate more VMs to a policy, and delete unnecessary policies to meet 
compliance requirements. 


To view your current backup policies in the Azure portal, open the Recovery Services 
Vault blade, and then click Backup Policies (Figure 5-43). Click an existing policy to view the 
policy details, or click Add to create a new policy. 
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FIGURE 5-43 Backup policies in the Recovery Services Vault 
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You can create four different types of policies from this view, as shown in Figure 5-44. 

= Azure Virtual Machine. Allows you to specify the backup frequency, retention 
period, and the backup point on a weekly, monthly, and yearly schedule. 

= SAP HANA In Azure VM. Allows you to use SAP HANA specific backup 
technology such as full, differential, and log backup with an associated schedule 
for each option. 


= Azure File Share. Allows you to schedule a daily backup for an Azure fileshare. 


m SQLServer In Azure VM. Allows you to use SQL Server-—specific backup technology, 
such as full, differential, and log backups, with an associated schedule for each option. 
Also, you can enable SQL backup compression. 


Home > Recovery Services vaults > ExamRef-RSV | Backup policies 


Add 


Policy Type 


Azure Virtual Machine 


SQL Server in Azure VM 


SAP HANA in Azure VM 


Azure File Share 


FIGURE 5-44 Available backup policy options in the Azure portal 


Define backup policies 


An Azure Backup policy defines how often backups occur and how long the backups are 
retained. The default policy accomplishes a daily backup at 05:30pm UTC and retains backups 
for 30 days and you can define custom Backup policies. In Figure 5-45, a custom Backup Policy 
is configured. In the Frequency drop-down menu, Daily has been chosen, though options for 
Weekly, Monthly, and Yearly are also available. 


Implement backup policies 


To implement a backup policy, open the policy in the Azure portal and click the Associated 
Items button, as shown in Figure 5-46. 
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FIGURE 5-45 Configuring a custom backup policy 


Home > Recovery Services vaults > ExamRef-RSV | Backup policies > 


ExamRefBackupPolicy 


Backup policy 


Learn more and get FAQs about Backup policy c? 

BACKUP FREQUENCY 

Daily at 6:30 AM Eastern Standard Time 

RETENTION RANGE 

Retention of daily backup point 

Retain backup taken every day at 6:30 AM for 180 Day(s) 

Retention of weekly backup point 

Retain backup taken every week on Sunday at 6:30 AM for 52 Week(s) 
Retention of monthly backup point 

Retain backup taken every month on First Sunday at 6:30 AM for 60 Month(s) 
Retention of yearly backup point 

Retain backup taken every year in January on First Sunday at 6:30 AM for 10 Year(s) 


FIGURE 5-46 The associated items link for the Azure policy 
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The Associated Items blade in Figure 5-47 shows all the resources currently associated 
with the policy. 


Associated items 


m" ta muane Gamay ta enh rechent Last basbas ties ta tarpai 


FIGURE 5-47 The associated items for the backup policy 


Clicking Add will launch the Backup Goal blade, where you can add other virtual machines 
or file shares to be backed up using the goals defined in the policy. 


Perform backup and restore operations by using 
Azure Backup Service 


Azure Backup service can be used to back up and restore various cloud as well as on-prem 
resources. Recovery Services Vault is used to enable Azure Backup and to configure the backup 
policies. 


Backup and restore with Azure workloads 
For Azure workloads, the Azure Backup service can back up the following resources: 
m Virtual machine/s 
m SAP HANA databases running in an Azure VM 
m Azure file share 
m SQL Server databases running in an Azure VM 


When you back up an Azure virtual machine, you can restore an entire virtual machine 
or you can restore individual files from the virtual machine and it is quite easy to set up. 
To back up a VM in Azure with Azure Backup, open the Recovery Services Vault and click 
Backup under Getting Started. From the Where Is Your Workload Running? drop- 
down menu, select Azure, and from the What Do You Want To Backup? drop-down 
menu, select Vrtual Machine. After making these selections, click Backup, as shown in 
Figure 5-48. 
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Ê Backup 


@ Site Recovery 


FIGURE 5-48 Configuring Azure Backup to protect virtual machines 


Next, choose a backup policy from the Policy drop-down menu, or click the Create 
New Policy link to create your own policy. Next, choose the VMs to back up by clicking the 
Add button on the lower left and then select the virtual machines from the Select Virtual 
Machines list as shown in Figure 5-49. Only VMs located in the same region as the Recovery 
Services Vault are available for backup. 
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FIGURE 5-49 Configuring Azure Backup to backup virtual machines and using the default policy 


After the VMs are selected, click the Enable Backup button. 
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NOTE AZURE VM PROTECTION AND VAULT STORAGE REDUNDANCY TYPE 


When protecting laaS VMs by using Azure Backup, only VMs in the same region as the 
Recovery Services Vault are available for backup. Because of this, it is a best practice to choose 
Geo-Redundant storage or Read Access Geo-Redundant storage to be associated with the 
Recovery Services Vault. This ensures that if a regional outage affects VM access, there is a 
replicated copy of the backup in another region. 


When you click the Enable Backup button, behind the scenes, the vMSnapshot (for 
Windows) or VMSnapshotLinux (for Linux) extension is automatically deployed by the Azure 
fabric controller to the VMs. This allows for snapshot-based backups to occur, which means 
a snapshot of the VM is taken first, and then this snapshot is streamed to the Azure Storage 
associated with the Recovery Services Vault. The initial backup is not taken until the day/time 
configured in the backup policy, though an ad-hock backup can be initiated at any time. To do 
so, navigate to the Protected Items section of the Recovery Services Vault properties, click 
Backup Items, and click Azure Virtual Machine under Backup Management Type. The VMs 
that are enabled for backup are listed here. To begin an ad-hock backup, right-click a VM and 
select Backup Now, as shown in Figure 5-50. 


Home > Recovery Services vaults > ExamRef-RSV | Backup items 
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FIGURE 5-50 Starting an ad-hock backup 


Azure Backup also directly supports the ability to back up and restore data from Azure Files, 
SQL Server databases, and SAP HANA databases on Azure virtual machines. It is a good idea to 
have a basic understanding of the capabilities because they might appear on the exam. 
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MOREINFO AZURE FILES AND SQL SERVER IN AN AZURE VM 


Learn about the current capabilities of Azure Backup support for Azure Files here: https:// 
docs.microsoft.com/azure/backup/backup-azure-files, SQL Server on Azure VM here: https:// 
docs.microsoft.com/azure/backup/backup-azure-sq|-database and SAP HANA on Azure VM 
here: https://docs.microsoft.com/azure/backup/sap-hana-db-about. 


After backing up a virtual machine using Azure Backup there are two methods to restore 
data: Restore VM and File Recovery. 


To restore a recovery point as a new virtual machine, open the Recovery Services vault, and 
click on Backup Items, then click Azure Virtual Machine, and then click the virtual machine 
you want to restore from the list. The next screen will list all the restore points available for 
restoration, as shown in Figure 5-51. 


Right-click the desired restore point and select Restore VM (see Figure 5-52), or click the 
Restore VM link at the top of the page (see Figure 5-53). 
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FIGURE 5-51 Available restore points for a virtual machine. 


Restore points (1) 


This list is filtered for last 30 days of restore points. To recover from restore point older than 30 days, click here 
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FIGURE 5-52 Restore VM option 1 


From there, you can then restore to a new virtual machine by selecting Create New, or you 
can restore over an existing virtual machine by selecting Replace Existing. 
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FIGURE 5-53 Restore VM option 2 


Figure 5-54 shows the Restore Virtual Machine blade with the Create New option 
selected. Here, you can specify the virtual machine name, resource group, virtual network, 
subnet, and storage account. 


Home > Recovery Services vaults > ExamRef-RSV | Backup items > Backup Items (Azure Virtual Machine) > ExamRef-VM 


Restore Virtual Machine 


examref-vm 


Restore allows you to restore VM/disks from a selected Restore Point. 


Restore point * 8/17/2020, 6:08:55 AM 
Select 


Restore Configuration 


® Create new O Replace existing 


© To create an altemate configuration when restoring your VM [from the following menus), use PowerShell cmdlets. 


Restore Type * © [Create new virtual machine v] 
Virtual machine name * © | ExamRef-VMNew x] 
Resource group * © ExamRef-RG v 
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FIGURE 5-54 Restore to a new virtual machine 
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If you just need access to files from the virtual machine, choose the File Recovery option 
at the top of the page shown previously in Figure 5-51 instead. From there, you can select 
the recovery point and then download a script that will mount the selected recovery point to 
another computer as local disks (see Figure 5-55). The disks will remain mounted for 12 hours 
so you can recover the needed data. 


Home > Recovery Services vaults > ExamRef-RSV | Backup items > Backup Items (Azure Virtual Machine) > ExamRef-VM 


File Recovery 


examref-vm 


Step 1: Select recovery point 


8/17/2020, 6:08:55 AM [Latest] (Cras... VW 


v Step 2: Download script to browse and 
recover files 


This script will mount the disks from the 
selected recovery point as local drives on 
the machine where it is run. These drives 
will remain mounted for 12 hours. 


Download Script * 


© Password generated successfully. 
Password to run the script 


| be734769bce3a5b D] 


> Step 3: Unmount the disks after recovery 


Unmount disks and close the connection to 
the recovery point 


Unmount Disks 


* Run this script on the machine where you want to 
copy the files 

* To restore files larger than 10GB, restore entire VM 
to an alternate location or restore disks using 
PowerShell 


* Data transfer rate: up to 1GB/Hr 


If you have trouble finding your files, 
click here 


FIGURE 5-55 Restore to a new virtual machine 


EXAM TIP 
Q 


To restore a virtual machine that has encrypted disks, you also need to provide the Azure 
Backup Service access to the Key Vault holding the keys. See https://docs.microsoft.com/ 
azure/backup/backup-azure-vms-encryption. 
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MOREINFO MORE DETAILS ABOUT RESTORING VIRTUAL MACHINES AND FILES 


You can learn more about recovering virtual machines with the Azure Backup service 


at https://docs.microsoft.com/azure/backup/backup-azure-arm-restore-vms. For more 


information about file-level recovery, see https://docs.microsoft.com/azure/backup/ 


backup-azure-restore-files-from-vm. 


Backup and restore with on-premises workloads 


Azure Backup Server is a standalone service that you install on a Windows Server operating 
system that stores the backed-up data in a Recovery Services Vault. Azure Backup Server inher- 
its much of the workload backup functionality from Data Protection Manager (DPM). Though 
Azure Backup Server shares much of the same functionality as DPM, Azure Backup Server does 
not back up to tape, and it does not integrate with System Center. 


You should consider using Azure Backup server when you need to back up the following 
supported workloads: 


Windows Client 

Windows Server 

Linux Servers (running on Hyper-V or VMWare) 
VMWare VMs 

Exchange 

SharePoint 

SQL Server 


System State and Bare Metal Recovery 


MOREINFO AZURE BACKUP SERVER PROTECTION MATRIX 


The entire list of supported workloads and the versions supported for Azure Backup Server 


can be found at https://docs.microsoft.com/azure/backup/backup-mabs-protection-matrix. 


Follow these steps to install Azure Backup Manager: 


1. 


2. 


To see the instructions to prepare the infrastructure, navigate to the Recovery Services 
Vault and under Getting Started, click Backup. 


From the Where Is Your Workload Running? drop-down menu, select On-Premises 
as the location where the workload is running. 


From the What Do You Want To Backup? drop-down menu, choose Hyper-V Virtual 
Machine as the workload to backup. 


Finally, click Prepare Infrastructure, as shown in Figure 5-56. 
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5. Ifyou are not using any System Center environment, it is recommended that you down- 
load and install Microsoft Azure Backup Server. On the next screen, deselect the Already 
Using System Center Data Protection Manager Or Any Other System Center 
Product box. You will see instructions for downloading and installing Microsoft Azure 
Backup Server, as shown in Figure 5-57. You might need to download the vault creden- 
tials to register the server to the Recovery Services Vault, which has expiry date of 2 days. 
After setting up the Azure Backup Server, use its Ul to configure the on-premises backup. 
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FIGURE 5-56 Configuring Azure Backup to protect on-premises virtual machines 
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FIGURE 5-57 Instructions to prepare infrastructure for on-premises backup using Backup server 
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6. Alternatively, if you are using any System Center environment, check the Already Using 
System Center Date Protection Manager Or Any Other System Center Product 
box. You will these a different set of instructions, which tell you how to download and 
install System Center DPM (Data Protection Manager), as shown in Figure 5-58. You 
might need to download the vault credentials to register the server to the Recovery 
Services Vault, which has expiry date of two days. After setting up the DPM, use its UI to 
configure the on-premises backup. 


Home > Recovery Services vaults > ExamRef-RSV | Backup 


Prepare infrastructure 
M] Already using System Center Data Protection Manager or any other System Center Product 


SC Data Protection Manager 
Please follow the steps mentioned below. 


1. Download and install System Center DPM available with your System Center Subscription. 


2. Install Microsoft Azure Recovery Services Agent. 
Download 


3. Download vault credentials to register the server to the vault. Vault credentials will expire after 2 days. 


K 


Already downloaded or using the latest Recovery Services Agent 


Download 


4. Post infrastructure preparation, please use DPM UI (on-premises) to configure backup. 


Learn More 


FIGURE 5-58 Instructions to prepare infrastructure for on-premises backup using DPM 


To back up files and folders from on-premises VMs, you need to use Microsoft Azure 
Recovery Services (MARS) agent. The MARS agent is available for installation from the 
Recovery Services Vault. 

1. Click Backup under Getting Started. 
2. From the Where Is Your Workload Running? drop-down menu, select On-Premises, 
and from the What Do You Want To Backup?, choose Files And Folders. 


3. Next, click Prepare Infrastructure, and the Recovery Services agent is made available, 
as shown in Figure 5-59. You can also download the MARS agent by visiting the MARS 
vault's Properties and choosing Backup -> Download Recovery Services Agent. 
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4. Notice there is only a Windows agent because the backing up of files and folders is only 
supported on Windows computers. Click the link to download the agent. Before initiat- 
ing the installation of the MARS agent, you should also download the vault credentials 
file, which is right under Recovery Services agent download link. The vault credentials 
file is needed during the installation of the MARS agent. 


NOTE VAULT CREDENTIALS EXPIRATION 


The vault credentials are only valid for 48 hours from the time of download, so be sure to 
obtain them only when you are ready to install the MARS agent. 


Home Recovery Services vaults ExamRef-RSV | Backup 


Prepare infrastructure 


Recovery Services Agent 
Please follow the steps mentioned below 


1, Install Recovery Services agent 
Download Agent for Windows Server or Windows Client 


2, Download vault credentials to register the server to the vault. Vault credentials will expire after 2 days. 


iY Already downloaded or using the latest Recovery Services Agent 


3. Schedule backup using Recovery Services Agent Ul. Learn More 
4. Once the backups are scheduled, you can use backup jobs page to monitor the backups. Browse jobs page 


5, You can also Configure Notifications from alerts page to receive email alerts for backup failures. Browse alerts page 


Learn More 


FIGURE 5-59 Downloading the MARS agent 


5. During the MARS agent installation, a cache location must be specified. There must be 
free disk space within this cache location that is equal to or greater than five percent 
of the total amount of data to be protected. These configuration options are shown in 
Figure 5-60. 

6. The agent needs to communicate to the Azure Backup service on the Internet, so on the 
Proxy Configuration screen, configure any required proxy settings. 

7. On the Installation, required Windows features are added to the system where the 
agent is being installed. After these features have been added, you can click Install as 
shown in Figure 5-61. 
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E Microsoft Azure Recovery Services Agent Setup Wizard 


AR installation Settings 
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Installation Stages installation Folder 

® Installation Settings Microsoft Azure Recovery Services Agent will be installed in the following folder. To choose a different 
installation folder, click Browse. The location specified must have at least 1 GB of free space. 
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FIGURE 5-60 Installing the MARS agent 
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FIGURE 5-61 Final screen of the MARS agent installation 
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8. Click Proceed To Registration to open the Agent Registration dialog box. The vault 
credentials must be provided by browsing to the path of the downloaded file. 


9. On the Encryption Settings page, it is very important that you either specify a pass- 
phrase or allow the installation program to generate one. Enter this passphrase twice, 
and then specify where the passphrase file should be saved. The passphrase file is a text 
file that contains the passphrase, so store this file securely. 


NOTE AZURE BACKUP ENCRYPTION PASSPHRASE 


Data protected by Azure Backup is encrypted using the supplied passphrase. If the passphrase 
is lost or forgotten, any data protected by Azure Backup is not able to be recovered and is 
lost. 


10. After the agent is registered with the Azure Backup service, it can then be configured to 
begin protecting data. 


11. In the last section, the MARS agent was installed and registered with the Azure Backup 
vault. Before data can be protected with the agent, it must be configured with settings, 
such as when the backups occur, how often they occur, how long the data is retained, 
and what data is protected. In the MARS agent interface, click Schedule Backup to 
begin this configuration process. 


12. Click Next to move past the Getting Started screen and click Add Items to add files 
and folders. Clicking Exclusion Settings allows you to choose certain file types that are 
not protected, as shown in Figure 5-62. 


E Schedule Backup Wizard x 


a Select Items to Backup 


Getting started Glick Add Items to select the files and folders you want to backup. 
Name 
Specify Backup Schedule Wcpata\ 


Select Retention Policy (F. 


Choos 


Modify Backup Progress 


terete 


Exclusion Settings 
A Use “Exchssion Settings” for removing al tems within a voime. Referto 
https //aka me/MarsUnaelect Volume to leam about the implications of not using 
“Exclusion Settings” for removing al teme in a volume. 
(P) IF a backup location includes file types or sub-folders that you do not want to 
~ backup, click Exclusion Settings to remove those items from the backup. 
< Previous Next > Cancel 


FIGURE 5-62 Configuring the MARS agent to protect data 
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13. Next, schedule how often backups should occur. The agent can be configured to back 
up daily or weekly, with a maximum of three backups taken per day. 


14. Specify the retention you want, and the initial Backup Type (Over The Network or 
Offline). Confirm the settings to complete the wizard. Backups are now scheduled to 
occur, but they can also be initiated at any time by clicking Back Up Now on the home 
screen of the agent. Figure 5-63 shows an active backup. 


Schedule Backup Wizard 


a Modify Backup Progress 


Status: 

Creating Backup Schedule... 
Action Status 
Grate backup schedule for Files and Folders In Progress 


FIGURE 5-63 Creating Backup Schedule 


Follow these steps to recover data: 


1. Click the Recover Data option on the home screen of the MARS agent. This initiates the 
Recover Data Wizard. 


2. Choose the computer to which you want to restore the data. Generally, this is the same 
computer the data was backed up from. 


3. Next, choose the data to recover, the date on which the backup took place, and the time 
the backup occurred. These choices comprise the recovery point to restore. 


4. Click Mount to mount the selected recovery point as a volume, and then choose the 
location to recover the data. 


5. Confirming the selected options starts the recovery. 
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Perform site-to-site recovery by using 
Azure Site Recovery 


Every organization will have its own business continuity and disaster recovery (BCDR) plans 
to handle the unpredictable circumstances with unexpected outages that occur. Azure Site 
Recovery service enables us to replicate, failover, and failback virtual machines as needed. 
Azure Site Recovery solution allows us to address below major scenarios: 


m Azure VMs from one region to another 
= On-Premises VMs (VMware, Hyper-V, and physical servers) to Azure 
m= On-Premises VMs to another site 


Let's take Azure VMs to replicate from one region to another as an example. Firstly, you would 
need to create a Recovery Services Vault. We will leverage the one created in earlier section 
named ExamRef-RSV. As a best practice, you should always validate the target subscription 
readiness by checking the appropriate VM SKU and major feature availability. 


For the enterprise environments, you should also consider allow-listing the URLs for 
outbound connectivity to required Azure resources and service tag—based NSG rules. You 
would also need minimum Site Recovery Contributor rights for configuring the replication and 
Site Recovery Operator rights for executing the failover and failback operations. 

To enable replication from source VM, follow these steps: 

1. Open the Recovery Services Vault and select + Replicate. 


2. On the Source page, you need to provide the source details, such as the location, 
deployment model, subscription, source resource group, as shown in Figure 5-64. 


Home Recovery Services vaults ExamRef-RSV Enable replication 


Enable replication Source 
ExamRef-RSV ExamRef-RSV 
8 Select your source environment 
Source > 
Configure Aibua 
| Azure 
2 i Source location * 
(Est US 


Azure virtual machine deployment model * © 


3 | Resource Manager 


Source subscription * 


| Visual Studio Ultimate with MSDN 


Source resource group * 


ExamRef-RGSR 
Disaster Recovery between Availability Zones? * © 


| No 


FIGURE 5-64 Enable replication — Source configuration 


3. On the next blade, select the Source VM for replication (see Figure 5-65). 
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Home > Recovery Services vaults > ExamRef-RSV > Enable replication 


Enable replication « Select virtual machines 


ExamRel-RSV 


1 Source aj Unable to view / select your VMs? Click here to know why. 
Azure, East US 
| 2 Filter items 
2 Virtual machines > Name Virtual network Tags 
Select 


E cxameet-vaisr ExamRef-RGSR-vnet 


= 


an i > 


FIGURE 5-65 Enable replication — Source VM selection 


4. Next, you must configure target environment settings, as shown in Figure 5-66, and 
then click Create Target Resources. 


Home > Recovery Services vaults > ExamRef-RSV > Enable replication 


Enable replication “ Configure settings 
ExamRet-ASV 
Target location * 
1 Source v 
Azure, East US 
Target subscription = Customize 
2 Virtual machines v 
1 Selected Visual Studio Ultimate with MSDN 
3 Settings > 
Configure 


Hf you are choosing General Purpose v2 storage accounts, ensure that operations and 
data transfer prices afe understood cleatly before you proceed. Leam more 


Resource group, Network, Storage and Availability 2 Customize 

By default Site Recovery will mirror the source site configuration to target site by 
Creating/using the required resource groups, storage accounts, virtual network and availability 
sets as below. Click ‘Customize’ above to change the configuration. The resources created are 
appended with “asr” suffix 


Target resource group © Target virtual network © 

Esamfef-RG BamRel-AG-mer 
Cache storage accounts © Replica managed disks © 

(pen) mirtrvexamrefrsasrcache (new) 1 premium disks{s), O standard desks) 
Target availability sets © 

Not Applicable 


Replication Policy 2 Customize 


Name: 24-hour-retention-policy 

Recovery point retention: 24 hour(s) 

App consistent snapshot frequency: 4 hour(s) 
Replication group: None 


Extension settings IH Hide details 


Update settings [ Allow ASR to manage v| © 


© 


Automation account | (new) ExamRef-R-go3-asr-automati.. v | c 


FIGURE 5-66 Enable replication — Target settings 
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5. Finally, click Enable Replication (see Figure 5-67). 


Home Recovery Services vaults ExamRef-RSV 


Enable replication 


ExamiRef-RSV 


1 Source 


Azure, East US 


2 Virtual machines 


1 Selected 


3 Settings 


Configured 


FIGURE 5-67 Enable replication—Target settings 


You can track the replication progress by selecting Site Recovery Jobs (see Figure 5-68). It 
takes a while to get the replication and synchronization completed. You cannot proceed with 
further steps without replication of the VM. 


Site Recovery jobs 


i 
seesseesseces 


FIGURE 5-68 Site Recovery jobs 


Once replicated, now you can see the Source VM listed in the Recovery Services Vault under 
Replicated Items. The overview is shown in Figure 5-69. 


ExamRef-VMSR 


FIGURE 5-69 Replicated Items—Source VM 
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Now it's time to do test failover: 


1. Right-click the VM under Replicated Items and click Test Failover (see Figure 5-70). 


@ ExamRef-RSV | Replicated items 


FIGURE 5-70 Replicated Items—Test Failover 


2. On the Test Failover blade, select a recovery point from the Choose A Recovery Point 
drop-down menu and choose a virtual network from the Azure Virtual Network drop- 
down menu, as shown in Figure 5-71 and click OK. 


Home > ExamRef-RSV | Replicated items > 


Test failover 


ExamRef-VMSR 


Failover direction 


From © 


Recovery Point 
Choose a recovery point © 


| Latest processed (low RTO) (1 out of 1... wv | 


Azure virtual network * © 


ExamRef-RG-vnet Vv 


It is recommended that fora test C? 
~ failover you use a network different 
y from production network (as 
y F specified under Compute and 
à Network settings of the virtual 
machine). Learn more, 


FIGURE 5-71 Test failover blade 
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3. You can track the progress of the test failover by using Site Recovery jobs, as shown in 
Figure 5-72. Now, you will be able to see the test VM created in the target resource group. 


Test failover 


FIGURE 5-72 Test failover -Jobs 


4. You can delete the test VM after verifying the VM and network details. To delete the VM 
and other resources, select Cleanup Test Failover, as shown in Figure 5-73. 


@ ExamRef-RSV | Replicated items 


Nore Rastcanon ream nm Actas locnm 


O ipon wrge 


Getting started 
A bone 

© bee Becoven 
Postec nean 


© Fagiani nema 


FIGURE 5-73 Cleanup test failover 


5. You can now run an actual failover. Select Failover from the options, as shown in 
Figure 5-74. 


m ExamRef-RSV | Replicated items 


tame rpheation noarm Stars heros iscrtan 


N Reptcated teers 


FIGURE 5-74 Failover option 
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6. On the Failover blade, select the recovery point and verify the Failover Direction, as 
shown in Figure 5-75. Click OK. 


Home ExamRef-RSV | Replicated items 


Failover 


ExamRet-VMS 


Failover direction 


Recovery Point 
Choose a recovery point 


Latest processed (low RTO) (8/17/2020,... V 


[Y] Shut down machine before beginning 
failover, 


FIGURE 5-75 Failover blade 


7. You can track the failover progress by following the site recovery jobs (see Figure 5-76). 
You must see a target Azure VM will be created with the same configuration and target 


settings provided earlier. 
8. You should validate by logging into the VM. 


9. Select Commit to complete the failover process. 


Failover 


FIGURE 5-76 Failover —Jobs 


10. You should also consider protecting your VM again by clicking Re-Protect, which will 
reverse the process (see Figure 5-77). 


MOREINFO SITE RECOVERY SCENARIOS 

Learn about the VMware site recovery to Azure at https://docs.microsoft.com/azure/site- 
recovery/tutorial-prepare-azure. You can learn about Hyper-V VM site recovery to Azure at 
https://docs.microsoft.com/azure/site-recovery/tutorial-prepare-azure-for-hyperv. 
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11. Once the VM is protected again, you can perform a failback to get to the original state. 
Similarly, you can use Site Recovery for other scenarios as well. 


Home > ExamRef-RSV | Replicated items 


Re-protect 


lf you are choosing General Purpose v2 storage accounts, ensure that operations and 
data transfer prices are understood clearly before you proceed, Learn more 


Resource group, Network, Storage and Availability # Customize 

By default, Site Recovery will pick the original source resource group, virtual network, storage 
accounts and availability sets as below. Click ‘Customize’ above to change the configuration. 
The resources created are appended with “asr” suffix 


Target resource group C Target virtual network © 


ExarnRief-RGSR ExamRef-ROSR-vnet 


Cache storage accounts © Replica managed disks © 
(new) 1 premium disks(s), 0 standard disk(s) 


new) h2uxlGexannr 


Target availability sets © 


Not Applicable 


FIGURE 5-77 Re-protect option 


MOREINFO AZURE MIGRATE 


If you want to migrate an on-premises workload to Azure, see https://docs.microsoft.com/ 
azure/migrate/migrate-services-overview. 


Configure and review backup reports 


Azure Backup Reports provide data visualization across your Recovery Services Vaults and Azure 
subscriptions to provide insight into your backup activity. This reporting solution is currently 
widely supported for Azure virtual machine backup and file and folder backup scenarios when 
using the MARS (Microsoft Azure Recovery Services) agent. For other supported scenarios, see 
https://docs.microsoft.com/azure/backup/backup-azure-configure-reports #supported-scenarios. 


In order to configure the backup reports, you need to create or use an existing Log 
Analytics Workspace to store the backup reporting data. Also, you need a Recovery Services 
Vault, which records all the backup operations as diagnostic data. Creating a Recovery Services 
Vault is discussed earlier in the chapter (see “Create a Recovery Services Vault”). To configure 
diagnostics for the Recovery Service Vault, open the Recovery Services Vault and then 
choose Diagnostic Settings > + Add Diagnostic Setting (see Figure 5-78). 
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FIGURE 5-78 Diagnostic settings for the Azure Recovery Vault 


In this example, we have chosen the log categories shown in Figure 5-79, and data is 
configured to send it to the Log Analytics Workspace with the retention set to the default 


30-day setting. If you want to retain data for more than 30 days, then you need to update the 


Retention setting in the Log Analytics Workspace. 


Home > Microsoft RecoveryServicesV2 | Overview > ExamRef-RSV | Diagnostic settings 


Diagnostics setting 


Save X Discard Ñ] Delete ©) Provide feedback 

A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from a resource, and one or more 
destinations that you would steam them to. Normal usage charges for the destination will occur. Learn more about the different log 
categories and contents of those logs 


E AddonAzureBackupobs 

E AsdonAzuretackupAlerts 

E AddonAzureBackupPolicy 

@ AddonAzureBackupStorage 

E AddonAzureBackupProtectedinstance 
o AzureSiteRecoveryJobs 

[Dy AauresiteRecoveryEvents 

0 AzureSiteRecoveryReplicateditems 
[C] AzuresiteRecoveryReplicationstats 


o AzureSiteRecoveryRecoveryPoints 


Diagnostic setting name * ExamRef-BackupReports 4 
Category details Destination details 
log E Send to Log Analytics 
[C AzureBackupReport Sii 
[Visual Studio Utimate with MSDN z 
[~] CoreAzureBackup 
is Lem hace a ered 
| ExamRef-LAWorkspace ( canadacentral } v 


Destination table © 
(zure disgnosis CEED) 


You need to create separate diagnostics settings for Azure Backup and Azure 

(iJ Site Recovery events to prevent potential data loss. For Azure Backup events, if 
you choose the ‘Resource specific’ mode, you must select the following events 
only - CoreAzureBackup, AddonAzureBackupJobs, AddonAzureBackupAlerts, 
AddonAzureBsckupPolicy, AddonAzureBackupStorage, 
AddonAzureBackupProtectedinstance. The AzureBackupReport event works 
only in ‘Azure diagnostics’ mode. Leam more 


o Archive to a storage account 


T Stream to an event hub 


FIGURE 5-79 Diagnostic settings for the Azure Recovery Vault 
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Once diagnostic settings are configured, you can view the backup report data in 
the Recovery Services Vault by clicking Backup Reports under Manage, as shown in 
Figure 5-80. 


A ExamRef-RSV | Backup Reports # 

teinh 
Overview Summary Bachapitems Usage Jobs Policies Optimize 
Select Log Analytics Workspace 


Sutneriptions Workspaces 
a V | [Erama Lavos V 


Report Filters 


Mote - Thera is no bechup data be the selected Log Arah 


(1) Fos ow selociod Urre ranga. Lines Merre 


Welcome to Azure Backup Reports! 


Select your Workapacn(s) and click Se Summary Tab above to get tartadi 


FIGURE 5-80 Backup reports for the Azure Recovery Vault 


Thought experiment 


In this thought experiment, apply what you have learned. You can find answers to these ques- 
tions in the next section. 

You are the administrator for Trey Research Pharmaceuticals. As a leader in the design 
and manufacturing of cutting-edge treatments for cancer patients, Trey Research needs to 
ensure that the users data within the organization are protected as they handle sensitive data 
and can't accommodate any data loss. Users have their own assigned VMs in Azure that are 
deployed in Canada Central region. 


Trey Research needs to ensure backup solution has the following features: 


1. All users’ data must be backed up daily at 6 PM Eastern time. The data should be 
retained for one year from the date it is backed up. 


2. If any user's backup data is accidently deleted, then they should be able to restore it 
back within two weeks of time. 


3. Users should be able to restore their VMs as well as files and folders from the 
backup data. 
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Thought experiment answers 


This section contains the answers to the thought experiment for the chapter. 


1. 


2. 


3. 


Create a backup policy with the schedule to execute the backup at 6pm Eastern time 
with the retention of daily backup point for 365 days. 


Enable Soft delete feature under Security Settings by visiting the Properties of Recovery 
Services Vault. 


Leverage Restore VM and File Recovery options for restoring the VM and restoring files 
and folders respectively. 


Chapter summary 


Below are some of the key takeaways from this chapter: 


Azure Monitor is a single pane of glass for accessing Azure metrics, tenant and resource 
diagnostic logs, Log Analytics, service health, and alerts. 


You can configure alerts based on metric alerts (captured from Azure Metrics) to Activ- 
ity Log alerts that can notify by email, webhook, SMS, Logic Apps, or even an Azure 
Automation Runbook. 


Azure Log Analytics can consolidate machine data from on-premises and cloud-based 
workloads and this data is indexed and categorized for quick searching. Data can be 
collected from both Windows and Linux machines. 

Azure Log Analytics has many management solutions that help administrators gain 
value out of complex machine data. These solutions contain pre-built visualizations and 
queries that help surface insights quickly. 

Queries in Log Analytics can be saved for quick access and visualized and shared using 
Azure Dashboards. To analyze data outside of Log Analytics you can export the data to 
Excel and Power BI. 

Recovery Services Vault is used for configuration and management of both Backup and 
Site Recovery. 

An Azure Backup policy defines how often backups occur and how long the backups are 
retained. 

The Azure Backup service can backup and restore and entire virtual machine and 

you can also use it for just file recovery to restore files from a recovery point without 
recreating the entire virtual machine. 
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m Azure Backup can be used to protect files and folders, applications, and laa virtual 
machines. This cloud-based data protection service helps organizations by provid- 
ing offsite backups of on-premises servers and protection of VM workloads they have 
already moved to the cloud. 


m The backup data is retained for 14 days after deletion by using Soft delete feature. 


= Azure Site Recovery service enables us to replicate, failover, and failback virtual 
machines as needed. 
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agent deployment, 109-111 
health monitoring, 112-113 
server endpoint addition, 111-112 
sync group creation, 108 
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Azure File Sync 


purpose of, 108 metrics configuration, 336-340 
troubleshooting, 112 purpose of, 334-336 
Azure Files Azure Monitor for Containers, 335 
access control Azure Monitor for VMs, 335 
Azure AD DS authentication, 86-89 Azure Policy 
configuring, 84-89 configuring, 30-37 
on-premises AD DS authentication, 85-86 scope, 50-51 
account registration, 87 Azure Site Recovery, 384-390 
disaster recovery, 374 Azure Storage. See also Blob Storage 
file shares access key management, 79-80 
creating, 104-105 account creation and configuration, 67-73 
Linux connections, 107 account types, 69 
non-Azure connections, 105 Blob Storage access tiers, 71 
Windows connections, 105-107 naming requirements, 68 
purpose of, 104 performance tiers, 68 
Azure Firewall, configuring, 268-279 replication options, 69-70, 98-103 
application rule collection, 274-275 AzCopy, 96-98 
deployment, 271-272 async blob copy service, 97 
DNAT rule creation, 278-279 authentication, 96-97 
network rule collection, 275-277 platform support, 97 
route table creation and association, 273-274 sync blob copy service, 98 
testing, 277-278 uploading/downloading data, 97 
VM creation, 270-271 Azure AD authentication, 80-84 
VNet and subnet creation, 269 exporting data, 89-90 
Azure Import/Export importing data, 91-93 
exporting data, 89-90 network access configuration, 64-67 
importing data, 91-93 Blob Storage access levels, 66-67 
purpose of, 89 firewalls, 64-65 
Azure Key Vault, 80 virtual network service endpoints, 65-66 
cost of, 162 purpose of, 63 
Azure Kubernetes Service. See AKS (Azure Kubernetes SAS token creation, 73-78 
Service) service types, 67-68 
Azure Load Balancer, 287-290 Azure Storage Explorer, 93-96 
configuring, 290-294 async blob copy service, 95-96 
backend configuration, 289 AzCopy and, 96 
frontend IP configuration, 288-289 blob management, 116 
health probes, 289-290 connecting to storage accounts, 93-95 
pricing tiers, 288 installing, 93 
purpose of, 283 supported operations, 95 
troubleshooting, 294-295 Azure Traffic Manager, purpose of, 246 
Azure Monitor Azure Virtual Networks (VNets). See virtual networks 
alerts, 352-363 Azure Virtual WAN, configuring, 320-325 
analyzing across subscriptions, 361-363 creating in Azure portal, 320-321 
configuring, 353-359 ExpressRoute association, 324-325 
purpose of, 352-353 point-to-site connections, 323-324 
states, 361 site-to-site connections, 322-323 
viewing, 359-361 Azure VPN Gateway 
log queries and analysis, 347-352 configuring, 311-315 
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BGP (Border Gateway Protocol), 312 

creating in Azure portal, 313-315 

high availability, 312-313 

subnets, 311, 313-315 

pricing tiers, 311-312 

AzureCloud service tag, 260 
AzureLoacBalancer server tag, 260 
AzureRm module (PowerShell), 53 
AzureTrafficManager service tag, 260 


backend configuration in Azure Load Balancer, 289 


backing up web apps, 201-203 
backup and recovery. See disaster recovery 
backup policies, configuring, 368-371 
backup reports, configuring, 390-392 
BGP (Border Gateway Protocol), 312 
Blob Storage. See also blobs (Azure Storage) 
access tiers, 71 
configuring, 117-121 
account types, 69 
configuring, 113-117 
Azure portal management, 114-115 
blob containers, 113-114 
soft delete, 116-117 
Storage Explorer management, 116 
types of blobs, 114 


lifecycle management configuration, 121-125 


network access levels, 66-67 
object replication configuration, 100-103 
purpose of, 113 
uploading/downloading data, 97 
blob-level tiers (Blob Storage), 118-119 
blobs (Azure Storage). See also Blob Storage 
Azure Storage Explorer operations, 95 
change feed, 100 
containers, 113-114 
Azure portal management, 114-115 
Storage Explorer management, 116 
exporting, 89-90 
purpose of, 67 
RBAC roles, 81 
scope, 82 
soft delete, 116-117 
types of, 68, 114 
versioning, 100 
Block Blobs, 68, 114 


configuring 


Border Gateway Protocol (BGP), 312 
budgets (Azure Cost Management), 53-55 
built-in roles (Azure AD), 17 

cloning, 20-25 
bulk updating users (Azure AD), 8-9 


C 


CAA records (DNS), 249 
change feed for blobs, 100 
changing 
access tiers (Blob Storage), 119-121 
storage account replication mode, 99 
child DNS zones, delegating, 247-248 
CIDR (classless inter-domain routing) notation, 214 
circuits (ExpressRoute) 
associating with Azure Virtual Wan, 324-325 
cost of, 319 
creating, 318-319 
peering, 316-317 
cloning roles (Azure AD), 20-25 
Cloud Shell, 185 
cloud tiering, 111 
cluster autoscaler, 189 
clusters (AKS) 
connecting to, 189-190 
scaling, 188-189 
storage configuration, 187-188 
upgrading, 190-191 
cmdlets (PowerShell), referencing, 53 
CMK (customer-managed keys), 166-168 
CNAME records (DNS), 249 
CNI (Azure Container Networking Interface), 189 
Compute Optimized size type (VMs), 172 
compute resources. See ACI (Azure Container Instances); 
AKS (Azure Kubernetes Service); VMs (virtual machines) 
configuring 
access control (Azure Files), 84-89 
Azure AD DS authentication, 86-89 
on-premises AD DS authentication, 85-86 
access tiers (Blob Storage), 117-121 
accounts (Azure Storage), 67-73 
account types, 69 
Azure AD authentication, 82-84 
Blob Storage access tiers, 71 
naming requirements, 68 
network access, 64-67 
performance tiers, 68 
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replication options, 69-70, 98-103 
SAS token creation, 73-78 
AKS (Azure Kubernetes Service) 
scaling, 188-189 
storage, 187-188 
alerts (Azure Monitor), 353-359 
Application Insights, 363-365 
Azure AD Join, 11-13 
Azure Application Gateway, 283-287 
Azure Bastion Service, 279-282 
Azure DNS 
custom DNS settings, 253-255 
private DNS zones, 255-257 
Azure File Sync, 108-113 
agent deployment, 109-111 
health monitoring, 112-113 
server endpoint addition, 111-112 
sync group creation, 108 
Azure Firewall, 268-279 
application rule collection, 274-275 
deployment, 271-272 
DNAT rule creation, 278-279 
network rule collection, 275-277 
route table creation and association, 273-274 
testing, 277-278 
VM creation, 270-271 
VNet and subnet creation, 269 
Azure Load Balancer, 290-294 
backend configuration, 289 
frontend IP configuration, 288-289 
Azure Policy, 30-37 
Azure Virtual WAN, 320-325 
creating in Azure portal, 320-321 
ExpressRoute association, 324-325 
point-to-site connections, 323-324 
site-to-site connections, 322-323 
Azure VPN Gateway, 311-315 
BGP (Border Gateway Protocol), 312 
creating in Azure portal, 313-315 
high availability, 312-313 
subnets, 311, 313—315 
backup policies, 368-371 
backup reports, 390-392 
Blob Storage, 113-117 
Azure portal management, 114-115 
blob containers, 113-114 
soft delete, 116-117 
Storage Explorer management, 116 
types of blobs, 114 


cost management (Azure AD), 52-59 
cost center quotas, 53-55 
monitoring and reporting spend, 56-59 
resource quotas, 52-53 
ExpressRoute, 315-320 
circuit creation, 318-319 
circuit peering, 316-317 
connectivity models, 315-316 
global availability, 317-318 
peering, 316-317 
virtual network connections, 320 
ExpressRoute Monitor, 301-302 
lifecycle management (Blob Storage), 121-125 
Log Analytics, 340-347 
agent installation, 344 
agent ports and protocols, 344 
diagnostic settings, 344-347 
workspace implementation, 340-344 
management groups (Azure AD), 49-51 
metrics, 336-340 
NPM (Network Performance Monitor), 296-299 
object replication (Blob Storage), 100-103 
Performance Monitor, 299-300 
resource locks (Azure AD), 37-38 
resource tags (Azure AD), 38-41 
Service Connectivity Monitor, 300-301 
SSPR (self-service password reset), 14-15 
virtual networks 
creating in Azure portal, 217-219 
IP ranges, 214-215 
network interfaces, 225-226 
network routes, 232-239 
peering, 220-225 
private endpoints, 241-243 
private IP addresses, 226-228 
properties, 215-216 
public IP addresses, 228-232 
service endpoints, 239-241 
subnets, 215 
VMs (virtual machines) 
ARM template modification, 137-138 
ARM template structure, 130-137 
automating configuration, 130-148 
Azure Disk Encryption, 161-170 
Custom Script Extension, 145-148 
custom template creation, 139-144 
high availability, 148-154 
networking, 175-183, 225 
saving deployment as ARM template, 144-145 
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scalability, 154-161 
VHD template configuration, 138-139 
connecting 
to AKS (Azure Kubernetes Service), 189-190 
to Azure Files 
Linux connections, 107 
non-Azure connections, 105 
Windows connections, 105-107 
storage accounts to Azure Storage Explorer, 
93-95 
to VMs 
authentication, 179 
Linux VM connections with SSH, 182-183 
network interface creation, 179-181 
options for, 179 


Windows VM connections with Remote Desktop, 


181-182 
Connection Monitor tool, 309-310 
Connection Troubleshoot tool, 307-309 
connectivity models (ExpressRoute), 315-316 
container groups, ACI (Azure Container Instances), 
185-186 
containers 
ACI (Azure Container Instances), 185-187 
container groups, 185-186 
sizing and scaling, 185-186 
advantages of, 184 
AKS (Azure Kubernetes Service), 187-191 
cluster upgrades, 190-191 
connecting to, 189-190 
scaling, 188-189 
storage configuration, 187-188 
Azure Monitor for Containers, 335 
Blob Storage, 113-114 
Azure portal management, 114-115 
Storage Explorer management, 116 
Cool access tier (Blob Storage), 71 
copying with AzCopy, 96-98 
cost center quotas (Azure AD), 53-55 
cost management (Azure AD), configuring, 52-59 
cost center quotas, 53-55 
monitoring and reporting spend, 56-59 
resource quotas, 52-53 
custom ARM templates, creating, 139-144 
custom DNS settings, configuring, 253-255 
custom domain names for web apps, 199-201 
custom roles (Azure AD), creating, 19-25 
Custom Script Extension, 145-148 
customer-managed keys (CMK), 166-168 


D 


data disks, adding to VMs, 173-175 
default NSG rules, 261 
delegating 
DNS domains, 245 
DNS zones, 247-248 
deleting 
devices (Azure AD), 8 
resource groups (Azure AD), 45-47 
role assignments (Azure AD), 28 
deny assignments (RBAC), 19, 26 
deploying web apps, 206-209 
deployment slots, 206-208 
devices (Azure AD) 
configuring Azure AD Join, 11-13 
managing, 7-8 
diagnostic logs, 302, 344-347 
disabling 
Azure Disk Encryption, 169-170 
devices (Azure AD), 8 
SMB (Server Message Block) v1, 105 
disaster recovery 
Azure Backup 
Azure workload backups, 371-373 
Azure workload restoration, 374-377 
backup report configuration, 390-392 
on-premises workload backups, 374-383 
on-premises workload restoration, 383 
purpose of, 334, 365 
Azure Site Recovery, 384-390 
Recovery Services Vault 
backup policy configuration, 368-371 
creating, 366 
Soft Delete option, 366-368 
disks (Azure Storage), 68 
DNAT rules, creating, 278-279 
DNS (Domain Name System). See also Azure DNS 
in Azure, 246 
labels, 230-231 
operational overview, 243-246 
records 
creating, 250-253 
managing, 248-249 
for web apps, 199-201 
DNS resolvers, 244-245 
DNS zones 
creating, 250-253 
delegating, 247-248 
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DNS zones 


402 


private zones, configuring, 255-257 
purpose of, 244 


Domain Name System. See DNS (Domain Name System) 


domain names, 243-244 

for web apps, 199-201 
downloading with AzCopy, 97 
dynamic groups (Azure AD), creating, 5-6 
dynamic private IP addresses, 226-227 
dynamic public IP addresses, 229 


effective security rules, evaluating, 267-268 
enabling 
Azure Disk Encryption 


with CMK (customer-managed keys), 166-168 


on existing VMs, 162-166 
on new data disks, 168-169 
diagnostic logs, 345-346 
IP forwarding, 236 
Network Watcher, 302 
static private IP addresses, 227-228 
encryption. See Azure Disk Encryption 
endpoints 
private endpoints, configuring, 241-243 
service endpoints, configuring, 239-241 
evaluating effective security rules, 267-268 
exporting Azure Storage data, 89-90 
ExpressRoute 
associating with Azure Virtual Wan, 324-325 
configuring, 315-320 
circuit creation, 318-319 
circuit peering, 316-317 
connectivity models, 315-316 
global availability, 317-318 
peering, 316-317 
virtual network connections, 320 
purpose of, 315 
site-to-site VPNs versus, 315 
ExpressRoute Monitor 
configuring, 301-302 
purpose of, 296 


F 


fault domains for availability sets, 152 
file shares (Azure Files) 


Azure File Sync, configuring, 108-113 
creating, 104-105 
Linux connections, 107 
non-Azure connections, 105 
purpose of, 104 
Windows connections, 105-107 
files (Azure Storage) 
Azure Storage Explorer operations, 95 
purpose of, 68 
firewalls 
Azure Firewall, configuring, 268-279 
for storage accounts, 64-65 
forced tunneling, 237 
FQDNs (fully qualified domain names), 245, 275 
frontend IP configuration in Azure Load Balancer, 
288-289 
Function Apps, 358 
functions for ARM templates, 131 


G 


General Purpose size type (VMs), 172 
geographically reundant storage (GRS), 70 
geographically zone redunant storage (GZRS), 70 
global availability of ExpressRoute, 317-318 
global VNet peering, 220 
glue records (DNS), 247 
governance (Azure AD) 
cost management configuration, 52-59 
cost center quotas, 53-55 
monitoring and reporting spend, 56-59 
resource quotas, 52-53 
management group configuration, 49-51 
policy configuration, 30-37 
resource group management, 41—47 
resource lock configuration, 37-38 
resource tag configuration, 38—41 
subscription management, 47-49 
GPU Optimized size type (VMs), 172 
graphs for queries, 350-352 
groups (Azure AD) 
creating, 3-6 
managing, 6-7 
role assignment, 17 
types of, 4 
GRS (geographically reundant storage), 70 
guest accounts (Azure AD), managing, 9-11 
GZRS (geographically zone redunant storage), 70 
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H 


hardware security modules (HSMs), 80 
health monitoring 
in Azure File Sync, 112-113 
in Azure Load Balancer, 289-290 
in VMSS, 158-159 
high availability 
for VMs, 148-154 
availability sets, 151-154 
availability zones, 149-151 
for VPN gateways, 312-313 
High Performance Compute size type (VMs), 172 
horizontal pod autoscaler (HPA), 189 
Hot access tier (Blob Storage), 71 
HPA (horizontal pod autoscaler), 189 
HSMss (hardware security modules), 80 
HTTPS protocol, 67 
hub-and-spoke networks, service chaining in, 222 
hybrid joining devices (Azure AD), 11, 13 
hybrid networks 
Azure Virtual WAN configuration, 320-325 
Azure VPN Gateway configuration, 311-315 
ExpressRoute configuration, 315-320 
purpose of, 310-311 
verifying and troubleshooting, 320 


laC (Infrastructure as Code), 137 
importing Azure Storage data, 91-93 
inbound rules, default, 261 
infrastructure FQDNs, 275 
inheritance 
of resource locks (Azure AD), 37 
of roles (Azure AD), 16, 18 
installing 
Azure Backup Server, 377-379 
Azure File Sync agent, 109-111 
Azure Storage Explorer, 93 
MARS (Microsoft Azure Recovery Services) agent, 
379-383 
NPM (Network Performance Monitor), 296-299 
Internal DNS, 246 
internal Load Balancers, 288 
Internet default rule, 261 
Internet service tag, 260 
IP addresses 


load balancing 


private, configuring, 226-228 
public, configuring, 228-232 
types of, 225 

IP Flow Verify tool, 303 

IP forwarding, 236 

IP ranges, 214-215 

IPv4 public addresses, 232 

IPv6 public addresses, 232 

ITSM (IT Service Manager) actions, 358 


J 


joining devices (Azure AD), 11, 13 

JSON (JavaScript Object Notation) files 
custom roles (Azure AD), creating, 25 
schema files in ARM templates, 131 


K 


Kubectl, 188-189 

kubenet, 189 

Kubernetes. See AKS (Azure Kubernetes Service) 
Kusto, 348 


L 


large scale sets (VMSS), 154 
LDNS (local DNS service), 244-245 
license requirements, SSPR (self-service password reset), 
14 
lifecycle management (Blob Storage), configuring, 
121-125 
Linux connections to Azure Files, 107 
Linux VMs, SSH connections, 182-183 
listings 
creating network interface, 133-134 
IP configurations, 135 
template structure for creating virtual network, 132 
variables for virtual network creation, 132 
virtual machine resource, 136 
Load Balancer default rule, 261 
load balancing, 282-295 
Azure Application Gateway 
configuring, 283-287 
documentation, 282 
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load balancing 


purpose of, 282 
Azure Load Balancer, 287-290 
backend configuration, 289 
configuring, 290-294 
frontend IP configuration, 288-289 
health probes, 289-290 
pricing tiers, 288 
purpose of, 283 
troubleshooting, 294-295 
local DNS service (LDNS), 244-245 
locally redundant storage (LRS), 69 
Log Analytics, 335 
configuring, 340-347 
agent installation, 344 
agent ports and protocols, 344 
diagnostic settings, 344-347 
workspace implementation, 340-344 
log queries and analysis, 347-352 
purpose of, 340 
Logic Apps, 358 
logs 
diagnostic, 344-347 
metrics versus, 335 
purpose of, 347 
queries and analysis, 347-352 
LRS (locally redundant storage), 69 


M 


managed disks, availability sets and, 153-154 
management groups (Azure AD), 18 
associating policies with, 32 
configuring, 49-51 
management locks (Azure AD), configuring, 37-38 
managing 
blobs (Azure Storage) 
in Azure portal, 114-115 
in Azure Storage Explorer, 116 
devices (Azure AD), 7-8 
groups (Azure AD), 6-7 
guest accounts (Azure AD), 9-11 
records (DNS), 248-249 
resource groups (Azure AD), 41-47 
role assignments (Azure AD), 25-28, 47-49 
subscriptions (Azure AD), 47-49 
users (Azure AD), 6-7 
VMs (virtual machines) 
Custom Script Extension, 145-148 
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data disk addition, 173-175 
moving across subscriptions/resource groups, 
170-171 
size types, 172-173 
MARS (Microsoft Azure Recovery Services) agent, install- 
ing, 379-383 
Memory Optimized size type (VMs), 172 
metrics 
configuring, 336-340 
logs versus, 335 
purpose of, 347 
Microsoft 365, 3 
migrating on-premises workloads to Azure, 390 
modifying ARM templates, 137-138 
monitoring 
Application Insights, 363-365 
Azure Monitor 
alerts, 352-363 
purpose of, 334-336 
Log Analytics, configuring, 340-347 
logs 
metrics versus, 335 
queries and analysis, 347-352 
metrics 
configuring, 336-340 
logs versus, 335 
spend, 56-59 
strategy development for, 333 
synchronization, 112-113 
virtual networks 
diagnostic logs, 302 
Network Watcher, 302-306 
NPM (Network Performance Monitor), 296-302 
VMSS (VM scale sets), 158-159 
mounting. See connecting 
moving resources (Azure AD) across resource groups, 
42-45 
MX records (DNS), 249 
MySQL in-app, 201 


N 


name resolution. See Azure DNS; DNS (Domain Name 
System) 

naming requirements for storage accounts, 68 

net use command, 107 

network access, configuring for storage accounts, 64—67 
network interfaces 
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associating NSGs with, 265-266 
configuring, 225-226 
creating, 133, 179-181 
Network Performance Monitor. See NPM (Network 
Performance Monitor) 
network routes, 232-239 
applying, 236-237 
forced tunneling, 237 
IP forwarding, 236 
purpose of, 232 
system routes, 232-234 
user-defined routes, 234-239 
network rule collection in firewalls, 275-277 
network security groups. See NSGs (network security 
groups) 
Network Topology tool, 306 
Network Watcher, 302-306 
Connection Monitor tool, 309-310 
Connection Troubleshoot tool, 307-309 
deploying, 302 
IP Flow Verify tool, 303 
Network Topology tool, 306 
Next Hop tool, 304 
Packet Capture tool, 305 
purpose of, 302 
VPN Troubleshoot tool, 307 
networking. See also virtual networks 
in Azure App Service, 203-206 
configuring for VMs, 175-183 
accelerated networking, 177-178 
authentication, 179 
connection options, 179 
IP address types, 225 
Linux VM connections with SSH, 182-183 
network interface creation, 179-181 
Windows VM connections with Remote Desktop, 
181-182 
Next Hop tool, 304 
next hops, types of, 234 
notifications (Azure Monitor), 356-358 
NPM (Network Performance Monitor), 296-302 
deploying, 296-299 
ExpressRoute Monitor configuration, 301-302 
Performance Monitor configuration, 299-300 
Service Connectivity Monitor configuration, 300-301 
services in, 296 
NS records (DNS), 245, 249 
NSGs (network security groups), 176 
associating with subnets, 265-266 


PowerShell 


creating in Azure portal, 263-265 
default rules, 261 

evaluating effective rules, 267-268 
priority of rules, 259 

properties, 258-259 

purpose of, 258 

service tags, 260 


O 


object replication (Blob Storage), configuring, 100-103 
Office 365, 3 

Office 365 groups (Azure AD), 4 

on-premises AD DS authentication, configuring, 85-86 
outbound Internet connections, 231 

outbound rules, default, 261 

outputs for ARM templates, 131 


P 


Packet Capture tool, 305 
Page Blobs, 68, 114 
parameters for ARM templates, 131 
passwords (Azure AD), SSPR (self-service password 
reset), 14-15 
peering virtual networks, 220-225 
creating in Azure portal, 223-225 
ExpressRoute circuits, 316-317 
limitations, 220 
purpose of, 220 
service chaining in hub-and-spoke networks, 222 
sharing virtual network gateways, 222-223 
Performance Monitor 
configuring, 299-300 
purpose of, 296 
performance tiers for storage accounts, 68 
permissions. See RBAC (role-based access control) 
persistent volumes, 188 
placement groups (VMSS), 154 
point-to-site VPNs, creating in Azure Virtual WAN, 
323-324 
policies (Azure AD) 
configuring, 30-37 
scope, 50-51 
Policy definitions (Azure AD), creating, 30-37 
PowerShell 
ARM template parameters, 144 
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406 


Azure Bastion Service, deploying, 282 
Azure Firewall, deploying, 279 
blob management, 115 
cmdlets, referencing, 53 
storage accounts 
access key generation, 79 
async blob copy service, 99 
creating, 73 
prefixes for public IP addresses, 230-231 
Premium tier (Azure Storage) 
account types, 69 
purpose of, 68 
replication options, 68 
pricing tiers 
for Azure Load Balancer, 288 
for public IP addresses, 228-229 
for VPN gateways, 311-312 
priority of NSG rules, 259 
private DNS zones, configuring, 255-257 
private endpoints, configuring, 241-243 
private IP addresses, configuring, 226-228 
properties 
of DNS records, 248 
of network interfaces, 226 
of NSG rules, 258-259 
of subnets, 215-216 
of virtual networks, 215-216 
proximity placement groups, 153 
PTR records (DNS), 249 
public IP addresses 
adding to VMs, 134-135 
allocating, 229 
configuring, 228-232 
creating in Azure portal, 232 
IPv4 versus IPv6, 232 
outbound Internet connections, 231 
prefixes, 230-231 
pricing tiers, 228-229 
public Load Balancers, 288 


Q 


queries, 347-352 
creating, 348-350 
graphs for, 350-352 
saving to dashboard, 350 
queues (Azure Storage) 
Azure Storage Explorer operations, 95 


purpose of, 68 
RBAC roles, 81 
scope, 82 


R 


RBAC (role-based access control) 
custom roles, creating, 19-25 
management groups and, 51 
operational overview, 16-19 
role assignments, managing, 25-28, 49 
for storage accounts, 80-84 
reconnecting to Azure Files in Windows, 107 
records (DNS) 
creating, 250-253 
managing, 248-249 
for web apps, 199-201 
recovery. See disaster recovery 
Recovery Services Vault 
backup policy configuration, 368-371 
creating, 366 
Soft Delete option, 366-368 
recursive DNS servers, purpose of, 244-246 
redeploying VMs (virtual machines), 183-184 
referencing cmdlets (PowerShell), 53 
regions, availability zones in, 149, 151 
registering devices (Azure AD), 11-13 
registration VNets, 256 


Remote Desktop connections to Windows VMs, 181-182 


removing. See deleting 
replication options 
object replication configuration, 100-103 
for storage accounts, 68-70, 98-100 
reporting spend, 56-59 
resiliency. See high availability 
resolution VNets, 256 
resource groups (Azure AD) 
creating, 41 
deleting, 45-47 
governance, 32 
hierarchy of, 30 
managing, 41-47 
metrics analysis, 339-340 
moving resources across, 42-45, 170-171 
purpose of, 29-30 
resource locks (Azure AD), configuring, 37-38 
resource quotas (Azure AD), 52-53 
resource record sets (RRSets), 248 
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resource tags (Azure AD), configuring, 38-41 
resources (ARM templates), 131 
resources (Azure AD) 
hierarchy of, 30 
moving across resource groups, 42-45, 170-171 
purpose of, 28-29 
reverse DNS, purpose of, 245-246 
role-based access control. See RBAC (role-based access 
control) 
roles (Azure AD), 16 
administrative roles versus, 17 
assigning, 16-17, 19 
managing assignments, 25-28, 47-49 
built-in roles, 17 
cloning, 20-25 
creating, 19-25 
definitions, 17 
inheritance, 16, 18 
scope, 18 
route tables 
associating with firewalls, 273-274 
creating, 235 
routes. See network routes 
routing loops, 236 
RRSets (resource record sets), 248 
Runbooks, 358 


S 


SAP HANA on Azure VM, disaster recovery, 374 
SAS (shared access signature) tokens, 67, 73-78 
saving 
deployment as ARM template, 144-145 
queries to dashboard, 350 
scalability for VMs, 154-161 
scale sets. See VMSS (VM scale sets) 
scaling 
ACI (Azure Container Instances), 185-186 
AKS (Azure Kubernetes Service), 188-189 
App Service plans, 193-196 
schema files (JSON) in ARM templates, 131 
scope 
in Azure Cost Management, 58 
in Azure Policy, 32, 50-51 
in RBAC, 18 
for storage accounts, 82 
secure shell (SSH) protocol, Linux VM connections, 
182-183 


SSH (secure shell) protocol, Linux VM connections 


security 
in AKS (Azure Kubernetes Service), 190 
of virtual networks 
Azure Bastion Service, 279-282 
Azure Firewall, 268-279 
effective security rule evaluation, 267-268 
security rule association with subnets, 265-266 
security rule creation, 258-265 
for web apps, 198-199 
security groups (Azure AD), 4 
security principals (Azure AD), 16 
role assignment, 16-17, 19, 25-28 
role definitions, 17 
role inheritance, 16, 18 
security rules. See NSGs (network security groups) 
self-service password reset (SSPR), 14-15 
server endpoints, adding in Azure File Sync, 111-112 
Server Message Block (SMB) 
access control (Azure Files), 84-89 
disabling, 105 
service chaining in hub-and-spoke networks, 222 
Service Connectivity Monitor 
configuring, 300-301 
purpose of, 296 
service endpoints, configuring on subnets, 239-241 
service tags, 260 
shared access signature (SAS) tokens, 67, 73-78 
sharing virtual network gateways, 222-223 
site-to-site VPNs 
creating in Azure Virtual WAN, 322-323 
ExpressRoute versus, 315 
size types for VMs, 172-173 
sizing ACI (Azure Container Instances), 185-186 
SMB (Server Message Block) 
access control (Azure Files), 84-89 
disabling, 105 
SNAT (Source Network Address Translation), 231 
SOA records (DNS), 249 
soft delete for blobs, 116-117 
Soft Delete option (Recovery Services Vault), 366-368 
source control for ARM templates, 131 
spending quotas (Azure AD), 52 
SPF records (DNS), 249 
spreading algorithm (VMSS), 160 
SQL Server on Azure VM, disaster recovery, 374 
Sql service tag, 260 
SRV records (DNS), 249 
SSH (secure shell) protocol, Linux VM connections, 
182-183 
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SSPR (self-service password reset) 


SSPR (self-service password reset), 14-15 
Standard tier (Azure Storage) 
account types, 69 
purpose of, 68 
static private IP addresses 
in ARM templates, 133 
configuring, 227 
for DNS, 253 
enabling, 227-228 
purpose of, 227 
static public IP addresses, 229 
storage 
Azure Files 
access control configuration, 84-89 
account registration, 87 
Azure Storage 
access key management, 79-80 
account creation and configuration, 67-73 
AzCopy, 96-98 
Azure AD authentication, 80-84 
exporting data, 89-90 
importing data, 91-93 
network access configuration, 64-67 
purpose of, 63 
replication implementation, 98-103 
SAS token creation, 73-78 
service types, 67-68 
Azure Storage Explorer, 93-96 
async blob copy service, 95-96 
connecting to storage accounts, 93-95 
installing, 93 
supported operations, 95 
Blob Storage 
access tier configuration, 117-121 
configuring, 113-117 
lifecycle management configuration, 121-125 
object replication configuration, 100-103 
configuring for AKS (Azure Kubernetes Service), 
187-188 
Storage Explorer. See Azure Storage Explorer 
Storage Optimized size type (VMs), 172 
Storage service tag, 260 
stored access policies, 77-78 
subnets 
associating NSGs with, 265-266 
configuring, 215 
service endpoints, 239-241 
creating, 217-219 
for firewalls, 269 
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properties, 215-216 

purpose of, 213, 215 

for VPN gateways, 311, 313-315 
subscriptions (Azure AD) 

administrator roles, 47—49 

alert analysis across, 361-363 

hierarchy of, 30, 49-50 

managing, 47-49 

metrics analysis, 339-340 

monitoring and reporting spend, 56-59 

moving resources across, 42-43, 170-171 

purpose of, 28 

in RBAC, 18 

transferring ownership, 42 

types of, 47 
sync blob copy service, 98 
sync groups (Azure File Sync), creating, 108 
synchronization. See Azure File Sync 
system routes, 232-234 


T 


tables (Azure Storage) 

Azure Storage Explorer operations, 95 

purpose of, 68 
tags (Azure AD) 

configuring, 38-41 

purpose of, 52 
templates (ARM) 

creating custom, 139-144 

modifying, 137-138 

network interface creation, 133 

public IP address addition, 134-135 

saving deployment as, 144-145 

schema, 137 

structure of, 130-137 

virtual network creation, 131-132 

VM resource creation, 135-137 
templates (VHD), configuring, 138-139 
testing Azure Firewall, 277-278 
transferring subscription ownership (Azure AD), 42 
troubleshooting 

Azure File Sync, 112 

Custom Script Extension, 148 

hybrid networks, 320 

load balancing, 294-295 

virtual networks, 306-310 

Connection Monitor tool, 309-310 
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Connection Troubleshoot tool, 307-309 
VPN Troubleshoot tool, 307 
TXT records (DNS), 249 


U 


UDRs (user-defined routes) 
creating in Azure portal, 237-239 
purpose of, 234-236 
update domains for availability sets, 152 
updating users (Azure AD), bulk updates, 8-9 
upgrading 
clusters (AKS), 190-191 
VMSS (VM scale sets), 156-157 
uploading with AzCopy, 97 
URI (uniform resource identifier) for SAS tokens, 76 
user delegation SAS, 77 
users (Azure AD) 
bulk updating, 8-9 
creating, 3-4 
guest accounts, 9-11 
managing, 6-7 
SSPR (self-service password reset), 14-15 
types of, 3 


V 


validating ARM templates, 141 
variables for ARM templates, 131 
verifying hybrid networks, 320 
versioning blobs (Azure Storage), 100 
VHD templates, configuring, 138-139 
viewing alerts (Azure Monitor), 359-361 
virtual machine resources, creating, 135-137 
virtual machines. See VMs (virtual machines) 
virtual network appliances, 236 
Virtual Network default rule, 261 
virtual network gateways 
Azure VPN Gateway configuration, 311-315 
sharing, 222-223 


virtual network service endpoints for storage accounts, 


65-66 
virtual networks 
configuring 
creating in Azure portal, 217-219 
IP ranges, 214-215 
network interfaces, 225-226 


VMs (virtual machines) 


network routes, 232-239 
peering, 220-225 
private endpoints, 241-243 
private IP addresses, 226-228 
properties, 215-216 
public IP addresses, 228-232 
service endpoints, 239-241 
subnets, 215 
creating, 131-132 
hybrid networks 
Azure Virtual WAN configuration, 320-325 
Azure VPN Gateway configuration, 311-315 
ExpressRoute configuration, 315-320 
purpose of, 310-311 
verifying and troubleshooting, 320 
load balancing, 282-295 
Azure Application Gateway, 282-287 
Azure Load Balancer, 283, 287-290 
troubleshooting, 294-295 
monitoring 
diagnostic logs, 302 
Network Watcher, 302-306 
NPM (Network Performance Monitor), 296-302 
name resolution. See Azure DNS 
peering, 220-225 
creating in Azure portal, 223-225 
limitations, 220 
purpose of, 220 
service chaining in hub-and-spoke networks, 222 
sharing virtual network gateways, 222-223 
purpose of, 213 
security 
Azure Bastion Service, 279-282 
Azure Firewall, 268-279 
effective security rule evaluation, 267-268 
security rule association with subnets, 265-266 
security rule creation, 258-265 
troubleshooting, 306-310 
Connection Monitor tool, 309-310 
Connection Troubleshoot tool, 307-309 
VPN Troubleshoot tool, 307 


VirtualNetwork service tag, 260 
VMs (virtual machines) 


Azure Monitor for VMs, 335 

backups, 371-373 

configuring 
ARM template modification, 137-138 
ARM template structure, 130-137 
automating configuration, 130-148 
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Azure Disk Encryption, 161-170 
Custom Script Extension, 145-148 
custom template creation, 139-144 
high availability, 148-154 
networking, 175-183, 225 
saving deployment as ARM template, 144-145 
scalability, 154-161 
VHD template configuration, 138-139 
creating for firewalls, 270-271 
managing 
data disk addition, 173-175 
moving across subscriptions/resource groups, 
170-171 
size types, 172-173 
purpose of, 129 
redeploying, 183-184 
restoration, 374-377 
with Azure Site Recovery, 384-390 
with Soft Delete, 366-368 
VMSS (VM scale sets) 
configuring, 154-161 
purpose of, 129 
upgrading, 156-157 
VNets (Azure Virtual Networks). See virtual networks 
VPN Gateway. See Azure VPN Gateway 
VPN Troubleshoot tool, 307 
VPNs (virtual private networks). See also Azure VPN 
Gateway 
point-to-site, creating in Azure Virtual WAN, 
323-324 
site-to-site 
creating in Azure Virtual WAN, 322-323 
ExpressRoute versus, 315 


W 


WAlmportExport tool, 91-93 
web apps. See also App Service 
backing up, 201-203 
creating, 197-198 
custom domain names, 199-201 
deploying, 206-209 
security, 198-199 
webhooks, 358 
Windows connections to Azure Files, 105-107 
Windows PowerShell Desired State Configuration (DSC) 
extension, 145-146 
Windows Subsystem for Linux (WSL), 183 
Windows VMs, Remote Desktop connections, 181-182 
workloads 
in Azure 
backups, 371-373 
restoration, 374-377 
on-premises 
backups, 374-383 
migrating to Azure, 390 
restoration, 383 
workspaces (Log Analytics), 340-344 
WSL (Windows Subsystem for Linux), 183 


Z 


zonal services, 151 
zone-redundant services, 151 
ZRS (zone redundant storage), 70 
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